diff options
| author | kib <kib@FreeBSD.org> | 2017-05-29 12:52:13 +0000 |
|---|---|---|
| committer | kib <kib@FreeBSD.org> | 2017-05-29 12:52:13 +0000 |
| commit | 339353047fb5a16680c21458bea6b0e848aea65f (patch) | |
| tree | d80b550cc39b664a0a346c97837fdc53e0e44c53 /lib | |
| parent | c11bd573da4a63058beea47d7ae227e6c9e39cb6 (diff) | |
| download | FreeBSD-src-339353047fb5a16680c21458bea6b0e848aea65f.zip FreeBSD-src-339353047fb5a16680c21458bea6b0e848aea65f.tar.gz | |
MFC r318298:
Fix several buffer overflows in realpath(3), and other minor issues.
PR: 219154
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libc/stdlib/realpath.c | 46 |
1 files changed, 27 insertions, 19 deletions
diff --git a/lib/libc/stdlib/realpath.c b/lib/libc/stdlib/realpath.c index c4bd953..d4c20c7 100644 --- a/lib/libc/stdlib/realpath.c +++ b/lib/libc/stdlib/realpath.c @@ -51,10 +51,11 @@ char * realpath(const char * __restrict path, char * __restrict resolved) { struct stat sb; - char *p, *q, *s; - size_t left_len, resolved_len; + char *p, *q; + size_t left_len, resolved_len, next_token_len; unsigned symlinks; - int m, slen; + int m; + ssize_t slen; char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX]; if (path == NULL) { @@ -109,18 +110,19 @@ realpath(const char * __restrict path, char * __restrict resolved) * and its length. */ p = strchr(left, '/'); - s = p ? p : left + left_len; - if (s - left >= sizeof(next_token)) { - if (m) - free(resolved); - errno = ENAMETOOLONG; - return (NULL); + + next_token_len = p ? p - left : left_len; + memcpy(next_token, left, next_token_len); + next_token[next_token_len] = '\0'; + + if (p != NULL) { + left_len -= next_token_len + 1; + memmove(left, p + 1, left_len + 1); + } else { + left[0] = '\0'; + left_len = 0; } - memcpy(next_token, left, s - left); - next_token[s - left] = '\0'; - left_len -= s - left; - if (p != NULL) - memmove(left, s + 1, left_len + 1); + if (resolved[resolved_len - 1] != '/') { if (resolved_len + 1 >= PATH_MAX) { if (m) @@ -173,19 +175,25 @@ realpath(const char * __restrict path, char * __restrict resolved) errno = ELOOP; return (NULL); } - slen = readlink(resolved, symlink, sizeof(symlink) - 1); - if (slen < 0) { + slen = readlink(resolved, symlink, sizeof(symlink)); + if (slen <= 0 || slen >= sizeof(symlink)) { if (m) free(resolved); + if (slen < 0) { + /* keep errno from readlink(2) call */ + } else if (slen == 0) { + errno = ENOENT; + } else { + errno = ENAMETOOLONG; + } return (NULL); } symlink[slen] = '\0'; if (symlink[0] == '/') { resolved[1] = 0; resolved_len = 1; - } else if (resolved_len > 1) { + } else { /* Strip the last path component. */ - resolved[resolved_len - 1] = '\0'; q = strrchr(resolved, '/') + 1; *q = '\0'; resolved_len = q - resolved; @@ -209,7 +217,7 @@ realpath(const char * __restrict path, char * __restrict resolved) } left_len = strlcat(symlink, left, sizeof(symlink)); - if (left_len >= sizeof(left)) { + if (left_len >= sizeof(symlink)) { if (m) free(resolved); errno = ENAMETOOLONG; |
