lib/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2025-12-24 17:51:17 +03:00
Code Activity

realpath: Set errno to ENAMETOOLONG for result larger than PATH_MAX [BZ #28770]

Browse Source 
realpath returns an allocated string when the result exceeds PATH_MAX,
which is unexpected when its second argument is not NULL.  This results
in the second argument (resolved) being uninitialized and also results
in a memory leak since the caller expects resolved to be the same as the
returned value.

Return NULL and set errno to ENAMETOOLONG if the result exceeds
PATH_MAX.  This fixes [BZ #28770], which is CVE-2021-3998.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
This commit is contained in:
Siddhesh Poyarekar
2022-01-13 11:28:36 +05:30
parent fb7bff12e8
commit ee8d5e33ad
4 changed files with 64 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
stdlib/canonicalize.c
View File

@@ -400,8 +400,16 @@ realpath_stk (const char *name, char *resolved,
error:
*dest++ = '\0';
if (resolved != NULL && dest - rname <= get_path_max ())
rname = strcpy (resolved, rname);
if (resolved != NULL)
{
if (dest - rname <= get_path_max ())
rname = strcpy (resolved, rname);
else
{
failed = true;
__set_errno (ENAMETOOLONG);
}
}
error_nomem:
scratch_buffer_free (&extra_buffer);