It is not guaranteed that the returned string of readline() actually contains as many bytes as buf can contain. If bufsz is larger than the allocated memory by readline, an out of boundary read occurs and leads to undefined behaviour. Most likely that will be a crash. This can be reproduced when readline-support is compiled in and when you directly enter "quit" and "n" (to not write changes back to disk) when sfdisk was called with any given device. Signed-off-by: Tobias Stoeckmann <tobias@xxxxxxxxxxxxxx> --- disk-utils/sfdisk.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/disk-utils/sfdisk.c b/disk-utils/sfdisk.c index 3911dda85..52ccc5251 100644 --- a/disk-utils/sfdisk.c +++ b/disk-utils/sfdisk.c @@ -133,7 +133,9 @@ static int get_user_reply(const char *prompt, char *buf, size_t bufsz) p = readline(prompt); if (!p) return 1; - memcpy(buf, p, bufsz); + strncpy(buf, p, bufsz); + if (bufsz != 0) + buf[bufsz - 1] = '\0'; free(p); } else #endif -- 2.20.1
