diff options
author | jh <jh@FreeBSD.org> | 2010-02-28 13:31:29 +0000 |
---|---|---|
committer | jh <jh@FreeBSD.org> | 2010-02-28 13:31:29 +0000 |
commit | dfdee678fd03cac5ff7c47a270bdf5bd2c745f59 (patch) | |
tree | 10e61a5ae7e93d8fdd7787613414f43da307b4e7 /lib/libc/stdio | |
parent | 9e0b98ecc5f10c13b2abee6e07bfe2420801f5a1 (diff) | |
download | FreeBSD-src-dfdee678fd03cac5ff7c47a270bdf5bd2c745f59.zip FreeBSD-src-dfdee678fd03cac5ff7c47a270bdf5bd2c745f59.tar.gz |
In _gettemp(), check that the length of the path doesn't exceed
MAXPATHLEN. Otherwise the path name (or part of it) may not fit to
carrybuf causing a buffer overflow.
PR: bin/140228
Suggested by: jilles
Diffstat (limited to 'lib/libc/stdio')
-rw-r--r-- | lib/libc/stdio/mktemp.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/libc/stdio/mktemp.c b/lib/libc/stdio/mktemp.c index 3f1e699..a30b930 100644 --- a/lib/libc/stdio/mktemp.c +++ b/lib/libc/stdio/mktemp.c @@ -116,6 +116,10 @@ _gettemp(path, doopen, domkdir, slen) for (trv = path; *trv != '\0'; ++trv) ; + if (trv - path >= MAXPATHLEN) { + errno = ENAMETOOLONG; + return (0); + } trv -= slen; suffp = trv; --trv; |