Commit
1709cc8f (server: Convert non-afs commands to lopsub) from
one year ago dropped the terminating NULL pointer from the array
of sender commands, presumably because the array size is declared
as the NUM_SENDER_CMDS enum constant, and this constant can be used
to iterate over all sender subcommands.
However, the loop in check_sender_args() of command.c does not
terminate the loop after NUM_SENDER_CMDS elements but only when it
encounters a NULL pointer. Hence, without the terminating NULL, the
code reads beyond the end of the array. The resulting invalid memory
access causes the command handler process to segfault.
Fix this by changing the termination condition of the loop to check
the loop variable against NUM_SENDER_CMDS.
return -E_COMMAND_SYNTAX;
scd->sender_num = i;
arg = lls_input(1, lpr);
- for (i = 0; subcmds[i]; i++)
+ for (i = 0; i < NUM_SENDER_CMDS; i++)
if (!strcmp(subcmds[i], arg))
break;
- if (!subcmds[i])
+ if (i == NUM_SENDER_CMDS)
return -E_COMMAND_SYNTAX;
scd->cmd_num = i;
if (!senders[scd->sender_num].client_cmds[scd->cmd_num])