Limit the number of paths that glob can return to MAX_GLOBENTRIES, which

is currently set to 10000.  This is intended to prevent glob from running
amok when a highly recursive path is provided (such as "../*/../*/../*/...")

Reviewed by: Diane Bruce <db@db.net>, jhb

1 files changed, 7 insertions, 0 deletions

diff --git a/lib/libc/gen/glob.c b/lib/libc/gen/glob.c
index 09dfd7a..48209cc 100644
--- a/lib/libc/gen/glob.c
+++ b/lib/libc/gen/glob.c
@@ -32,6 +32,8 @@
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
+ * $FreeBSD$
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
@@ -78,6 +80,8 @@ static char sccsid[] = "@(#)glob.c	8.3 (Berkeley) 10/13/93";
 
 #include "collate.h"
 
+#define MAX_GLOBENTRIES	10000		/* limit number of entries */
+
 #define	DOLLAR		'$'
 #define	DOT		'.'
 #define	EOS		'\0'
@@ -658,6 +662,9 @@ globextend(path, pglob)
 	char *copy;
 	const Char *p;
 
+	if (pglob->gl_pathc > MAX_GLOBENTRIES)
+		return (GLOB_ABEND);
+
 	newsize = sizeof(*pathv) * (2 + pglob->gl_pathc + pglob->gl_offs);
 	pathv = pglob->gl_pathv ?
 		    realloc((char *)pglob->gl_pathv, newsize) :