From owner-cvs-all  Mon Jun  8 22:45:49 1998
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id WAA06729
          for cvs-all-outgoing; Mon, 8 Jun 1998 22:45:49 -0700 (PDT)
          (envelope-from owner-cvs-all@FreeBSD.ORG)
Received: from rover.village.org (rover.village.org [204.144.255.49])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id WAA06721;
          Mon, 8 Jun 1998 22:45:43 -0700 (PDT)
          (envelope-from imp@village.org)
Received: from harmony [10.0.0.6] 
	by rover.village.org with esmtp (Exim 1.71 #1)
	id 0yjHE5-0004oA-00; Mon, 8 Jun 1998 23:45:41 -0600
Received: from harmony.village.org (localhost [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id XAA05689; Mon, 8 Jun 1998 23:46:01 -0600 (MDT)
Message-Id: <199806090546.XAA05689@harmony.village.org>
To: Bruce Evans <bde@zeta.org.au>
Subject: Re: cvs commit: src/bin/cp utils.c src/bin/csh dir.c src/bin/pax ftree.c 
Cc: cvs-all@FreeBSD.ORG, cvs-bin@FreeBSD.ORG, cvs-committers@FreeBSD.ORG
In-reply-to: Your message of "Tue, 09 Jun 1998 15:37:16 +1000."
		<199806090537.PAA01402@godzilla.zeta.org.au> 
References: <199806090537.PAA01402@godzilla.zeta.org.au>  
Date: Mon, 08 Jun 1998 23:46:01 -0600
From: Warner Losh <imp@village.org>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk

In message <199806090537.PAA01402@godzilla.zeta.org.au> Bruce Evans writes:
: Actually, readlink() never NUL-terminates, but some buggy applications
: add their own NUL at the end of the path.  Most applications use a buffer
: of size PATH_MAX, so it's not clear if there are any problems in practice.

This is true.  The size returned from readlink is used to NUL
terminate the string in applications.  If we used the length returned
when terminating the string, then we could have a one byte overflow.
This patch fixes that.  Also, most of the code that I recall seeing
uses MAXPATHLEN, but that is defined to be PATH_MAX on FreeBSD, so you
are correct.  The man page states that when the length of the name
exceeds PATH_MAX, it will return an error, but is silent on what
happens if the path length is exactly equal to PATH_MAX.

You are right that this likely isn't a problem or an exploitable hole,
but a little prevention doesn't hurt, no?

: Does nfs_readlink() actually work for foreign links of size PATH_MAX?

I have no clue one way or the other about this.

Warner

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message