Ignore:
Timestamp:
Oct 24, 2014, 4:01:38 PM (11 years ago)
Author:
bird
Message:

trunk,0.6: Fixed buffer overflow in fsResolveUnix that would trigger if the input path was too long.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/libc/src/kNIX/b_fsPathResolve.c

    r3863 r3914  
    5353     */
    5454    int             fInUnixTree = 0;
    55     char            szNativePath[PATH_MAX];
    5655    unsigned int    fBackFsFlags = fFlags & __LIBC_BACKFS_FLAGS_RESOLVE_FULL_MAYBE
    5756                                 ? BACKFS_FLAGS_RESOLVE_DIR_MAYBE | BACKFS_FLAGS_RESOLVE_FULL_MAYBE
    5857                                 : BACKFS_FLAGS_RESOLVE_DIR_MAYBE | BACKFS_FLAGS_RESOLVE_FULL;
    59     szNativePath[0] = szNativePath[1] = szNativePath[2] = szNativePath[3] = '\0';
    60     rc = __libc_back_fsResolve(pszPath, fBackFsFlags, szNativePath, &fInUnixTree);
     58    if (!(fFlags & __LIBC_BACKFS_FLAGS_RESOLVE_DIRECT_BUF))
     59    {
     60        char            szNativePath[PATH_MAX];
     61        szNativePath[0] = szNativePath[1] = szNativePath[2] = szNativePath[3] = '\0';
     62        rc = __libc_back_fsResolve(pszPath, fBackFsFlags, szNativePath, &fInUnixTree);
    6163
    62     /*
    63      * Copy the (half) result back to the caller.
    64      */
    65     char *pszSrc = &szNativePath[0];
    66     if (   !(fFlags & __LIBC_BACKFS_FLAGS_RESOLVE_NATIVE)
    67         && fInUnixTree
    68         && *pszSrc)
     64        /*
     65         * Copy the (half) result back to the caller.
     66         */
     67        char *pszSrc = &szNativePath[0];
     68        if (   !(fFlags & __LIBC_BACKFS_FLAGS_RESOLVE_NATIVE)
     69            && fInUnixTree
     70            && *pszSrc)
     71        {
     72            pszSrc += __libc_gcchUnixRoot;
     73            LIBC_ASSERTM(*pszSrc == '/', "bogus fInUnixTree flag! pszSrc='%s' whole thing is '%s'\n", pszSrc, szNativePath);
     74        }
     75        __libc_back_fsMutexRelease();
     76
     77        int cch = strlen(pszSrc) + 1;
     78        if (cch < cchBuf)
     79            memcpy(pszBuf, pszSrc, cchBuf);
     80        else if (!rc)
     81            rc = -ERANGE;
     82    }
     83    else
    6984    {
    70         pszSrc += __libc_gcchUnixRoot;
    71         LIBC_ASSERTM(*pszSrc == '/', "bogus fInUnixTree flag! pszSrc='%s' whole thing is '%s'\n", pszSrc, szNativePath);
    72     }
    73     __libc_back_fsMutexRelease();
     85        /*
     86         * Special case for testing purposes only.
     87         */
     88        if (cchBuf >= PATH_MAX)
     89        {
     90            rc = __libc_back_fsResolve(pszPath, fBackFsFlags, pszBuf, &fInUnixTree);
     91            if (   !(fFlags & __LIBC_BACKFS_FLAGS_RESOLVE_NATIVE)
     92                && fInUnixTree
     93                && pszBuf)
     94            {
     95                memmove(pszBuf, pszBuf + __libc_gcchUnixRoot, strlen(pszBuf) - __libc_gcchUnixRoot + 1);
     96                LIBC_ASSERTM(*pszBuf== '/', "bogus fInUnixTree flag! pszBuf='%s'\n", pszBuf);
     97            }
     98        }
     99        else
     100            rc = EINVAL;
    74101
    75     int cch = strlen(pszSrc) + 1;
    76     if (cch < cchBuf)
    77         memcpy(pszBuf, pszSrc, cchBuf);
    78     else if (!rc)
    79         rc = -ERANGE;
     102        __libc_back_fsMutexRelease();
     103     }
    80104
    81105    if (!rc)
Note: See TracChangeset for help on using the changeset viewer.