This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/6654] New: realpath contains off-by-one errors
- From: "john at calva dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: 18 Jun 2008 13:09:23 -0000
- Subject: [Bug libc/6654] New: realpath contains off-by-one errors
- Reply-to: sourceware-bugzilla at sourceware dot org
In realpath (stdlib/canonicalize.c) we have:
#ifdef PATH_MAX
path_max = PATH_MAX;
#else
path_max = pathconf (name, _PC_PATH_MAX);
if (path_max <= 0)
path_max = 1024;
#endif
[...]
char *buf = __alloca (path_max);
[...]
n = __readlink (rpath, buf, path_max);
if (n < 0)
goto error;
buf[n] = '\0';
readlink would be quite happy to fill all path_max bytes of buf, returning
path_max as n, then we'll write into buf[path_max] which is one byte beyond the
allocated space.
Need either +1 on the alloca or -1 on the readlink.
--
Summary: realpath contains off-by-one errors
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: drepper at redhat dot com
ReportedBy: john at calva dot com
CC: glibc-bugs at sources dot redhat dot com
http://sourceware.org/bugzilla/show_bug.cgi?id=6654
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.