From 408371cd5c6c06cdbd51513ab49ff0bc376cda26 Mon Sep 17 00:00:00 2001
From: Andre Noll <maan@tuebingen.mpg.de>
Date: Tue, 25 Jul 2017 00:18:50 +0200
Subject: [PATCH] server: Fix segfault in com_sender().

Commit 1709cc8f (server: Convert non-afs commands to lopsub) from
one year ago dropped the terminating NULL pointer from the array
of sender commands, presumably because the array size is declared
as the NUM_SENDER_CMDS enum constant, and this constant can be used
to iterate over all sender subcommands.

However, the loop in check_sender_args() of command.c does not
terminate the loop after NUM_SENDER_CMDS elements but only when it
encounters a NULL pointer. Hence, without the terminating NULL, the
code reads beyond the end of the array. The resulting invalid memory
access causes the command handler process to segfault.

Fix this by changing the termination condition of the loop to check
the loop variable against NUM_SENDER_CMDS.
---
 command.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/command.c b/command.c
index 5802d37a..3943d6dc 100644
--- a/command.c
+++ b/command.c
@@ -246,10 +246,10 @@ static int check_sender_args(struct command_context *cc,
 		return -E_COMMAND_SYNTAX;
 	scd->sender_num = i;
 	arg = lls_input(1, lpr);
-	for (i = 0; subcmds[i]; i++)
+	for (i = 0; i < NUM_SENDER_CMDS; i++)
 		if (!strcmp(subcmds[i], arg))
 			break;
-	if (!subcmds[i])
+	if (i == NUM_SENDER_CMDS)
 		return -E_COMMAND_SYNTAX;
 	scd->cmd_num = i;
 	if (!senders[scd->sender_num].client_cmds[scd->cmd_num])
-- 
2.30.2