Author: kib
Date: Mon May 29 12:52:13 2017
New Revision: 319126
URL: https://svnweb.freebsd.org/changeset/base/319126
Log:
MFC r318298:
Fix several buffer overflows in realpath(3), and other minor issues.
PR: 219154
Modified:
stable/11/lib/libc/stdlib/realpath.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/lib/libc/stdlib/realpath.c
==============================================================================
--- stable/11/lib/libc/stdlib/realpath.c Mon May 29 12:51:02 2017
(r319125)
+++ stable/11/lib/libc/stdlib/realpath.c Mon May 29 12:52:13 2017
(r319126)
@@ -51,10 +51,11 @@ char *
realpath(const char * __restrict path, char * __restrict resolved)
{
struct stat sb;
- char *p, *q, *s;
- size_t left_len, resolved_len;
+ char *p, *q;
+ size_t left_len, resolved_len, next_token_len;
unsigned symlinks;
- int m, slen;
+ int m;
+ ssize_t slen;
char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX];
if (path == NULL) {
@@ -109,18 +110,19 @@ realpath(const char * __restrict path, c
* and its length.
*/
p = strchr(left, '/');
- s = p ? p : left + left_len;
- if (s - left >= sizeof(next_token)) {
- if (m)
- free(resolved);
- errno = ENAMETOOLONG;
- return (NULL);
+
+ next_token_len = p ? p - left : left_len;
+ memcpy(next_token, left, next_token_len);
+ next_token[next_token_len] = '\0';
+
+ if (p != NULL) {
+ left_len -= next_token_len + 1;
+ memmove(left, p + 1, left_len + 1);
+ } else {
+ left[0] = '\0';
+ left_len = 0;
}
- memcpy(next_token, left, s - left);
- next_token[s - left] = '\0';
- left_len -= s - left;
- if (p != NULL)
- memmove(left, s + 1, left_len + 1);
+
if (resolved[resolved_len - 1] != '/') {
if (resolved_len + 1 >= PATH_MAX) {
if (m)
@@ -173,19 +175,25 @@ realpath(const char * __restrict path, c
errno = ELOOP;
return (NULL);
}
- slen = readlink(resolved, symlink, sizeof(symlink) - 1);
- if (slen < 0) {
+ slen = readlink(resolved, symlink, sizeof(symlink));
+ if (slen <= 0 || slen >= sizeof(symlink)) {
if (m)
free(resolved);
+ if (slen < 0) {
+ /* keep errno from readlink(2) call */
+ } else if (slen == 0) {
+ errno = ENOENT;
+ } else {
+ errno = ENAMETOOLONG;
+ }
return (NULL);
}
symlink[slen] = '\0';
if (symlink[0] == '/') {
resolved[1] = 0;
resolved_len = 1;
- } else if (resolved_len > 1) {
+ } else {
/* Strip the last path component. */
- resolved[resolved_len - 1] = '\0';
q = strrchr(resolved, '/') + 1;
*q = '\0';
resolved_len = q - resolved;
@@ -209,7 +217,7 @@ realpath(const char * __restrict path, c
}
left_len = strlcat(symlink, left,
sizeof(symlink));
- if (left_len >= sizeof(left)) {
+ if (left_len >= sizeof(symlink)) {
if (m)
free(resolved);
errno = ENAMETOOLONG;
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
