Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 29 May 2017 12:58:30 +0000 (UTC)
From:      Konstantin Belousov <kib@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r319129 - stable/10/lib/libc/stdlib
Message-ID:  <201705291258.v4TCwU2h093614@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: kib
Date: Mon May 29 12:58:30 2017
New Revision: 319129
URL: https://svnweb.freebsd.org/changeset/base/319129

Log:
  MFC r318298:
  Fix several buffer overflows in realpath(3), and other minor issues.
  
  PR:	219154

Modified:
  stable/10/lib/libc/stdlib/realpath.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/lib/libc/stdlib/realpath.c
==============================================================================
--- stable/10/lib/libc/stdlib/realpath.c	Mon May 29 12:55:26 2017	(r319128)
+++ stable/10/lib/libc/stdlib/realpath.c	Mon May 29 12:58:30 2017	(r319129)
@@ -51,10 +51,11 @@ char *
 realpath(const char * __restrict path, char * __restrict resolved)
 {
 	struct stat sb;
-	char *p, *q, *s;
-	size_t left_len, resolved_len;
+	char *p, *q;
+	size_t left_len, resolved_len, next_token_len;
 	unsigned symlinks;
-	int m, slen;
+	int m;
+	ssize_t slen;
 	char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX];
 
 	if (path == NULL) {
@@ -109,18 +110,19 @@ realpath(const char * __restrict path, c
 		 * and its length.
 		 */
 		p = strchr(left, '/');
-		s = p ? p : left + left_len;
-		if (s - left >= sizeof(next_token)) {
-			if (m)
-				free(resolved);
-			errno = ENAMETOOLONG;
-			return (NULL);
+
+		next_token_len = p ? p - left : left_len;
+		memcpy(next_token, left, next_token_len);
+		next_token[next_token_len] = '\0';
+
+		if (p != NULL) {
+			left_len -= next_token_len + 1;
+			memmove(left, p + 1, left_len + 1);
+		} else {
+			left[0] = '\0';
+			left_len = 0;
 		}
-		memcpy(next_token, left, s - left);
-		next_token[s - left] = '\0';
-		left_len -= s - left;
-		if (p != NULL)
-			memmove(left, s + 1, left_len + 1);
+
 		if (resolved[resolved_len - 1] != '/') {
 			if (resolved_len + 1 >= PATH_MAX) {
 				if (m)
@@ -173,19 +175,25 @@ realpath(const char * __restrict path, c
 				errno = ELOOP;
 				return (NULL);
 			}
-			slen = readlink(resolved, symlink, sizeof(symlink) - 1);
-			if (slen < 0) {
+			slen = readlink(resolved, symlink, sizeof(symlink));
+			if (slen <= 0 || slen >= sizeof(symlink)) {
 				if (m)
 					free(resolved);
+				if (slen < 0) {
+					/* keep errno from readlink(2) call */
+				} else if (slen == 0) {
+					errno = ENOENT;
+				} else {
+					errno = ENAMETOOLONG;
+				}
 				return (NULL);
 			}
 			symlink[slen] = '\0';
 			if (symlink[0] == '/') {
 				resolved[1] = 0;
 				resolved_len = 1;
-			} else if (resolved_len > 1) {
+			} else {
 				/* Strip the last path component. */
-				resolved[resolved_len - 1] = '\0';
 				q = strrchr(resolved, '/') + 1;
 				*q = '\0';
 				resolved_len = q - resolved;
@@ -209,7 +217,7 @@ realpath(const char * __restrict path, c
 				}
 				left_len = strlcat(symlink, left,
 				    sizeof(symlink));
-				if (left_len >= sizeof(left)) {
+				if (left_len >= sizeof(symlink)) {
 					if (m)
 						free(resolved);
 					errno = ENAMETOOLONG;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201705291258.v4TCwU2h093614>