nixos/wrappers: require argc to be at least one

setuid applications were exploited in the past with an empty argv, such as pkexec using CVE-2021-4034.
2 years ago · 2a6a3d2c47
parent 1009d6e79e
commit 2a6a3d2c47
1 changed files with 1 additions and 0 deletions
--- a/nixos/modules/security/wrappers/wrapper.c
+++ b/nixos/modules/security/wrappers/wrapper.c
@ -170,6 +170,7 @@ int readlink_malloc(const char *p, char **ret) {
 }

 int main(int argc, char **argv) {
+    ASSERT(argc >= 1);
    char *self_path = NULL;
    int self_path_size = readlink_malloc("/proc/self/exe", &self_path);
    if (self_path_size < 0) {