Changeset 3914

Timestamp:

Oct 24, 2014, 4:01:38 PM (11 years ago)

Author:

bird

Message:

trunk,0.6: Fixed buffer overflow in fsResolveUnix that would trigger if the input path was too long.

Files:

• branches/libc-0.6/src/emx/include/InnoTekLIBC/backend.h (modified) (1 diff)
• branches/libc-0.6/src/emx/src/lib/sys/b_fsPathResolve.c (modified) (1 diff)
• branches/libc-0.6/src/emx/src/lib/sys/fs.c (modified) (1 diff)
• trunk/libc/include/klibc/backend.h (modified) (1 diff)
• trunk/libc/src/kNIX/b_fsPathResolve.c (modified) (1 diff)
• trunk/libc/src/kNIX/os2/fs-os2.c (modified) (1 diff)
• trunk/libc/tests/libc/Makefile (modified) (1 diff)
• trunk/libc/tests/libc/io/pathresolving-2.c (copied) (copied from branches/libc-0.6/src/emx/testcase/misc/back-fsresolve-1.c )

branches/libc-0.6/src/emx/include/InnoTekLIBC/backend.h

@@ -189 +189 @@
 /** Get the native path instead, no unix root translations. */
 #define __LIBC_BACKFS_FLAGS_RESOLVE_NATIVE      0x10
+/** Direct buffer mode for testing purposes.  */
+#define __LIBC_BACKFS_FLAGS_RESOLVE_DIRECT_BUF  0x8000
 /** @} */
 

branches/libc-0.6/src/emx/src/lib/sys/b_fsPathResolve.c

@@ -65 +65 @@
      */
     int             fInUnixTree = 0;
-    char            szNativePath[PATH_MAX];
     unsigned int    fBackFsFlags = fFlags & __LIBC_BACKFS_FLAGS_RESOLVE_FULL_MAYBE
                                  ? BACKFS_FLAGS_RESOLVE_DIR_MAYBE | BACKFS_FLAGS_RESOLVE_FULL_MAYBE
                                  : BACKFS_FLAGS_RESOLVE_DIR_MAYBE | BACKFS_FLAGS_RESOLVE_FULL;
-    szNativePath[0] = szNativePath[1] = szNativePath[2] = szNativePath[3] = '\0';
-    rc = __libc_back_fsResolve(pszPath, fBackFsFlags, szNativePath, &fInUnixTree);
+    if (!(fFlags & __LIBC_BACKFS_FLAGS_RESOLVE_DIRECT_BUF))
+    {
+        char        szNativePath[PATH_MAX];
+        szNativePath[0] = szNativePath[1] = szNativePath[2] = szNativePath[3] = '\0';
+        rc = __libc_back_fsResolve(pszPath, fBackFsFlags, szNativePath, &fInUnixTree);
 
-    /*
-     * Copy the (half) result back to the caller.
-     */
-    char *pszSrc = &szNativePath[0];
-    if (   !(fFlags & __LIBC_BACKFS_FLAGS_RESOLVE_NATIVE)
-        && fInUnixTree
-        && *pszSrc)
+        /*
+         * Copy the (half) result back to the caller.
+         */
+        char *pszSrc = &szNativePath[0];
+        if (   !(fFlags & __LIBC_BACKFS_FLAGS_RESOLVE_NATIVE)
+            && fInUnixTree
+            && *pszSrc)
+        {
+            pszSrc += __libc_gcchUnixRoot;
+            LIBC_ASSERTM(*pszSrc == '/', "bogus fInUnixTree flag! pszSrc='%s' whole thing is '%s'\n", pszSrc, szNativePath);
+        }
+        __libc_back_fsMutexRelease();
+
+        int cch = strlen(pszSrc) + 1;
+        if (cch < cchBuf)
+            memcpy(pszBuf, pszSrc, cchBuf);
+        else if (!rc)
+            rc = -ERANGE;
+    }
+    else
     {
-        pszSrc += __libc_gcchUnixRoot;
-        LIBC_ASSERTM(*pszSrc == '/', "bogus fInUnixTree flag! pszSrc='%s' whole thing is '%s'\n", pszSrc, szNativePath);
+        /*
+         * Special case for testing purposes only.
+         */
+        if (cchBuf >= PATH_MAX)
+        {
+            rc = __libc_back_fsResolve(pszPath, fBackFsFlags, pszBuf, &fInUnixTree);
+            if (   !(fFlags & __LIBC_BACKFS_FLAGS_RESOLVE_NATIVE)
+                && fInUnixTree
+                && pszBuf)
+            {
+                memmove(pszBuf, pszBuf + __libc_gcchUnixRoot, strlen(pszBuf) - __libc_gcchUnixRoot + 1);
+                LIBC_ASSERTM(*pszBuf== '/', "bogus fInUnixTree flag! pszBuf='%s'\n", pszBuf);
+            }
+        }
+        else
+            rc = EINVAL;
+
+        __libc_back_fsMutexRelease();
     }
-    __libc_back_fsMutexRelease();
-
-    int cch = strlen(pszSrc) + 1;
-    if (cch < cchBuf)
-        memcpy(pszBuf, pszSrc, cchBuf);
-    else if (!rc)
-        rc = -ERANGE;
 
     if (!rc)

branches/libc-0.6/src/emx/src/lib/sys/fs.c

@@ -1013 +1013 @@
             {
                 if ((uintptr_t)(pszUserPath - pachBuffer) > SIZEOF_ACHBUFFER)
-                    pszUserPath = strcpy(pachBuffer, pszUserPath);
+                {
+                    size_t cbUserPath = strlen(pszUserPath) + 1;
+                    if (cbUserPath > PATH_MAX)
+                    {
+                        rcRet = -ENAMETOOLONG;
+                        break;
+                    }
+                    pszUserPath = memcpy(pachBuffer, pszUserPath, cbUserPath);
+                }
                 *(char *)(void *)pszUserPath += 'A' - 'a';
             }

trunk/libc/include/klibc/backend.h

@@ -265 +265 @@
 /** Get the native path instead, no unix root translations. */
 #define __LIBC_BACKFS_FLAGS_RESOLVE_NATIVE      0x10
+/** Direct buffer mode for testing purposes.  */
+#define __LIBC_BACKFS_FLAGS_RESOLVE_DIRECT_BUF  0x8000
 /** @} */
 

trunk/libc/src/kNIX/b_fsPathResolve.c

@@ -53 +53 @@
      */
     int             fInUnixTree = 0;
-    char            szNativePath[PATH_MAX];
     unsigned int    fBackFsFlags = fFlags & __LIBC_BACKFS_FLAGS_RESOLVE_FULL_MAYBE
                                  ? BACKFS_FLAGS_RESOLVE_DIR_MAYBE | BACKFS_FLAGS_RESOLVE_FULL_MAYBE
                                  : BACKFS_FLAGS_RESOLVE_DIR_MAYBE | BACKFS_FLAGS_RESOLVE_FULL;
-    szNativePath[0] = szNativePath[1] = szNativePath[2] = szNativePath[3] = '\0';
-    rc = __libc_back_fsResolve(pszPath, fBackFsFlags, szNativePath, &fInUnixTree);
+    if (!(fFlags & __LIBC_BACKFS_FLAGS_RESOLVE_DIRECT_BUF))
+    {
+        char            szNativePath[PATH_MAX];
+        szNativePath[0] = szNativePath[1] = szNativePath[2] = szNativePath[3] = '\0';
+        rc = __libc_back_fsResolve(pszPath, fBackFsFlags, szNativePath, &fInUnixTree);
 
-    /*
-     * Copy the (half) result back to the caller.
-     */
-    char *pszSrc = &szNativePath[0];
-    if (   !(fFlags & __LIBC_BACKFS_FLAGS_RESOLVE_NATIVE)
-        && fInUnixTree
-        && *pszSrc)
+        /*
+         * Copy the (half) result back to the caller.
+         */
+        char *pszSrc = &szNativePath[0];
+        if (   !(fFlags & __LIBC_BACKFS_FLAGS_RESOLVE_NATIVE)
+            && fInUnixTree
+            && *pszSrc)
+        {
+            pszSrc += __libc_gcchUnixRoot;
+            LIBC_ASSERTM(*pszSrc == '/', "bogus fInUnixTree flag! pszSrc='%s' whole thing is '%s'\n", pszSrc, szNativePath);
+        }
+        __libc_back_fsMutexRelease();
+
+        int cch = strlen(pszSrc) + 1;
+        if (cch < cchBuf)
+            memcpy(pszBuf, pszSrc, cchBuf);
+        else if (!rc)
+            rc = -ERANGE;
+    }
+    else
     {
-        pszSrc += __libc_gcchUnixRoot;
-        LIBC_ASSERTM(*pszSrc == '/', "bogus fInUnixTree flag! pszSrc='%s' whole thing is '%s'\n", pszSrc, szNativePath);
-    }
-    __libc_back_fsMutexRelease();
+        /*
+         * Special case for testing purposes only.
+         */
+        if (cchBuf >= PATH_MAX)
+        {
+            rc = __libc_back_fsResolve(pszPath, fBackFsFlags, pszBuf, &fInUnixTree);
+            if (   !(fFlags & __LIBC_BACKFS_FLAGS_RESOLVE_NATIVE)
+                && fInUnixTree
+                && pszBuf)
+            {
+                memmove(pszBuf, pszBuf + __libc_gcchUnixRoot, strlen(pszBuf) - __libc_gcchUnixRoot + 1);
+                LIBC_ASSERTM(*pszBuf== '/', "bogus fInUnixTree flag! pszBuf='%s'\n", pszBuf);
+            }
+        }
+        else
+            rc = EINVAL;
 
-    int cch = strlen(pszSrc) + 1;
-    if (cch < cchBuf)
-        memcpy(pszBuf, pszSrc, cchBuf);
-    else if (!rc)
-        rc = -ERANGE;
+        __libc_back_fsMutexRelease();
+     }
 
     if (!rc)

trunk/libc/src/kNIX/os2/fs-os2.c

@@ -978 +978 @@
             {
                 if ((uintptr_t)(pszUserPath - pachBuffer) > SIZEOF_ACHBUFFER)
-                    pszUserPath = strcpy(pachBuffer, pszUserPath);
+                {
+                    size_t cbUserPath = strlen(pszUserPath) + 1;
+                    if (cbUserPath > PATH_MAX)
+                    {
+                        rcRet = -ENAMETOOLONG;
+                        break;
+                    }
+                    pszUserPath = memcpy(pachBuffer, pszUserPath, cbUserPath);
+                }
                 *(char *)(void *)pszUserPath += 'A' - 'a';
             }

trunk/libc/tests/libc/Makefile

@@ -158 +158 @@
         io/sprintf-1.c \
         io/sscanf-1.c \
-        io/pathresolving-1.c
+        io/pathresolving-1.c \
+        io/pathresolving-2.c