From fa6f5ea3580716becc512b9018d0689c243225a1 Mon Sep 17 00:00:00 2001
From: dzwdz
Date: Thu, 15 Sep 2022 23:22:49 +0200
Subject: user/tmpfs: fix buffer overflow

---
 src/user/app/tmpfs/tmpfs.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/user/app/tmpfs/tmpfs.c b/src/user/app/tmpfs/tmpfs.c
index 606d682..0d3fe36 100644
--- a/src/user/app/tmpfs/tmpfs.c
+++ b/src/user/app/tmpfs/tmpfs.c
@@ -38,6 +38,7 @@ static struct node *lookup(struct node *parent, const char *path, size_t len) {
 }
 
 static struct node *tmpfs_open(const char *path, struct fs_wait_response *res) {
+	/* *path is not null terminated! */
 	struct node *node = &special_root;
 	if (res->len == 0) return NULL;
 	if (res->len == 1) return node;
@@ -48,7 +49,7 @@ static struct node *tmpfs_open(const char *path, struct fs_wait_response *res) {
 	size_t segpos = 0, seglen; /* segments end with a slash, inclusive */
 	while (more) {
 		struct node *const parent = node;
-		char *slash = memchr(path + segpos, '/', res->len);
+		char *slash = memchr(path + segpos, '/', res->len - segpos);
 		seglen = (slash ? (size_t)(slash - path + 1) : res->len) - segpos;
 		more = segpos + seglen < res->len;
 
-- 
cgit v1.2.3