mirror of
https://sourceware.org/git/glibc.git
synced 2024-11-21 12:30:06 +00:00
realpath: Set errno to ENAMETOOLONG for result larger than PATH_MAX [BZ #28770]
realpath returns an allocated string when the result exceeds PATH_MAX, which is unexpected when its second argument is not NULL. This results in the second argument (resolved) being uninitialized and also results in a memory leak since the caller expects resolved to be the same as the returned value. Return NULL and set errno to ENAMETOOLONG if the result exceeds PATH_MAX. This fixes [BZ #28770], which is CVE-2021-3998. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
This commit is contained in:
parent
fb7bff12e8
commit
ee8d5e33ad
4
NEWS
4
NEWS
@ -166,6 +166,10 @@ Security related changes:
|
||||
CVE-2022-23218: Passing an overlong file name to the svcunix_create
|
||||
legacy function could result in a stack-based buffer overflow.
|
||||
|
||||
CVE-2021-3998: Passing a path longer than PATH_MAX to the realpath
|
||||
function could result in a memory leak and potential access of
|
||||
uninitialized memory. Reported by Qualys.
|
||||
|
||||
The following bugs are resolved with this release:
|
||||
|
||||
[The release manager will add the list generated by
|
||||
|
@ -109,6 +109,7 @@ tests := \
|
||||
tst-random \
|
||||
tst-random2 \
|
||||
tst-realpath \
|
||||
tst-realpath-toolong \
|
||||
tst-secure-getenv \
|
||||
tst-setcontext \
|
||||
tst-setcontext2 \
|
||||
|
@ -400,8 +400,16 @@ realpath_stk (const char *name, char *resolved,
|
||||
|
||||
error:
|
||||
*dest++ = '\0';
|
||||
if (resolved != NULL && dest - rname <= get_path_max ())
|
||||
rname = strcpy (resolved, rname);
|
||||
if (resolved != NULL)
|
||||
{
|
||||
if (dest - rname <= get_path_max ())
|
||||
rname = strcpy (resolved, rname);
|
||||
else
|
||||
{
|
||||
failed = true;
|
||||
__set_errno (ENAMETOOLONG);
|
||||
}
|
||||
}
|
||||
|
||||
error_nomem:
|
||||
scratch_buffer_free (&extra_buffer);
|
||||
|
49
stdlib/tst-realpath-toolong.c
Normal file
49
stdlib/tst-realpath-toolong.c
Normal file
@ -0,0 +1,49 @@
|
||||
/* Verify that realpath returns NULL with ENAMETOOLONG if the result exceeds
|
||||
NAME_MAX.
|
||||
Copyright The GNU Toolchain Authors.
|
||||
This file is part of the GNU C Library.
|
||||
|
||||
The GNU C Library is free software; you can redistribute it and/or
|
||||
modify it under the terms of the GNU Lesser General Public
|
||||
License as published by the Free Software Foundation; either
|
||||
version 2.1 of the License, or (at your option) any later version.
|
||||
|
||||
The GNU C Library is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
Lesser General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU Lesser General Public
|
||||
License along with the GNU C Library; if not, see
|
||||
<https://www.gnu.org/licenses/>. */
|
||||
|
||||
#include <errno.h>
|
||||
#include <limits.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <support/check.h>
|
||||
#include <support/temp_file.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
|
||||
#define BASENAME "tst-realpath-toolong."
|
||||
|
||||
int
|
||||
do_test (void)
|
||||
{
|
||||
char *base = support_create_and_chdir_toolong_temp_directory (BASENAME);
|
||||
|
||||
char buf[PATH_MAX + 1];
|
||||
const char *res = realpath (".", buf);
|
||||
|
||||
/* canonicalize.c states that if the real path is >= PATH_MAX, then
|
||||
realpath returns NULL and sets ENAMETOOLONG. */
|
||||
TEST_VERIFY (res == NULL);
|
||||
TEST_VERIFY (errno == ENAMETOOLONG);
|
||||
|
||||
free (base);
|
||||
return 0;
|
||||
}
|
||||
|
||||
#include <support/test-driver.c>
|
Loading…
Reference in New Issue
Block a user