[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cvs commit: src/bin/cp utils.c src/bin/csh dir.c src/bin/pax ftree.c
- To: Bruce Evans <bde@xxxxxxxxxxx>
- Subject: Re: cvs commit: src/bin/cp utils.c src/bin/csh dir.c src/bin/pax ftree.c
- From: Warner Losh <imp@xxxxxxxxxxx>
- Date: Mon, 08 Jun 1998 23:46:01 -0600
- Cc: cvs-all@xxxxxxxxxxx, cvs-bin@xxxxxxxxxxx, cvs-committers@xxxxxxxxxxx
- In-reply-to: Your message of "Tue, 09 Jun 1998 15:37:16 +1000." <199806090537.PAA01402@xxxxxxxxxxxxxxxxxxxx>
- References: <199806090537.PAA01402@xxxxxxxxxxxxxxxxxxxx>
- Sender: owner-cvs-bin@xxxxxxxxxxx
In message <199806090537.PAA01402@xxxxxxxxxxxxxxxxxxxx> Bruce Evans writes:
: Actually, readlink() never NUL-terminates, but some buggy applications
: add their own NUL at the end of the path. Most applications use a buffer
: of size PATH_MAX, so it's not clear if there are any problems in practice.
This is true. The size returned from readlink is used to NUL
terminate the string in applications. If we used the length returned
when terminating the string, then we could have a one byte overflow.
This patch fixes that. Also, most of the code that I recall seeing
uses MAXPATHLEN, but that is defined to be PATH_MAX on FreeBSD, so you
are correct. The man page states that when the length of the name
exceeds PATH_MAX, it will return an error, but is silent on what
happens if the path length is exactly equal to PATH_MAX.
You are right that this likely isn't a problem or an exploitable hole,
but a little prevention doesn't hurt, no?
: Does nfs_readlink() actually work for foreign links of size PATH_MAX?
I have no clue one way or the other about this.