Date: Mon, 08 Jun 1998 23:46:01 -0600 From: Warner Losh <imp@village.org> To: Bruce Evans <bde@zeta.org.au> Cc: cvs-all@FreeBSD.ORG, cvs-bin@FreeBSD.ORG, cvs-committers@FreeBSD.ORG Subject: Re: cvs commit: src/bin/cp utils.c src/bin/csh dir.c src/bin/pax ftree.c Message-ID: <199806090546.XAA05689@harmony.village.org> In-Reply-To: Your message of "Tue, 09 Jun 1998 15:37:16 %2B1000." <199806090537.PAA01402@godzilla.zeta.org.au> References: <199806090537.PAA01402@godzilla.zeta.org.au>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199806090537.PAA01402@godzilla.zeta.org.au> Bruce Evans writes: : Actually, readlink() never NUL-terminates, but some buggy applications : add their own NUL at the end of the path. Most applications use a buffer : of size PATH_MAX, so it's not clear if there are any problems in practice. This is true. The size returned from readlink is used to NUL terminate the string in applications. If we used the length returned when terminating the string, then we could have a one byte overflow. This patch fixes that. Also, most of the code that I recall seeing uses MAXPATHLEN, but that is defined to be PATH_MAX on FreeBSD, so you are correct. The man page states that when the length of the name exceeds PATH_MAX, it will return an error, but is silent on what happens if the path length is exactly equal to PATH_MAX. You are right that this likely isn't a problem or an exploitable hole, but a little prevention doesn't hurt, no? : Does nfs_readlink() actually work for foreign links of size PATH_MAX? I have no clue one way or the other about this. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806090546.XAA05689>