[Bug libc/6654] New: realpath contains off-by-one errors

[Bug libc/6654] New: realpath contains off-by-one errors

[john at calva dot com]

In realpath (stdlib/canonicalize.c) we have:

#ifdef PATH_MAX
  path_max = PATH_MAX;
#else
  path_max = pathconf (name, _PC_PATH_MAX);
  if (path_max <= 0)
    path_max = 1024;
#endif
[...]
              char *buf = __alloca (path_max);
[...]
              n = __readlink (rpath, buf, path_max);
              if (n < 0)
                goto error;
              buf[n] = '\0';

readlink would be quite happy to fill all path_max bytes of buf, returning
path_max as n, then we'll write into buf[path_max] which is one byte beyond the
allocated space.

Need either +1 on the alloca or -1 on the readlink.

-- 
           Summary: realpath contains off-by-one errors
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: john at calva dot com
                CC: glibc-bugs at sources dot redhat dot com


http://sourceware.org/bugzilla/show_bug.cgi?id=6654

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/6654] realpath contains off-by-one errors

[halesh dot sadashiv at ap dot sony dot com]

------- Additional Comments From halesh dot sadashiv at ap dot sony dot com  2008-06-25 13:03 -------
Created an attachment (id=2795)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=2795&action=view)
Testcase to verify the problem in __realpath()


Hi,

Even though the raised defect occurs in realtime hardly, I have tried 
to prove with small testcode.

By executing the attached testcase I found the o/p like this


$ ./test_realpath
Softlinked file before calling realpath: lfile
Actual_path got from realpath /home/halesh/simple.exp.t
Softlinked file after calling realpath:



After calling the realpath() API, the varibale which had softlink file 
name will get currupted because of overwriting '\0' in __realpath() 
of stdlib/canonicalize.c


char*
__realpath (const char *name, char *resolved)
{

[...]
	      n = __readlink (rpath, buf, path_max);
	      if (n < 0)
		goto error;
	      buf[n] = '\0';
[...]
}


After applaying the patch..the o/p was proper

$ ./test_realpath
Softlinked file before calling realpath: lfile
Actual_path got from realpath /home/halesh/simple.exp.
Softlinked file after calling realpath: lfile


If any comments please let me know.


-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=6654

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/6654] realpath contains off-by-one errors

[halesh dot sadashiv at ap dot sony dot com]

------- Additional Comments From halesh dot sadashiv at ap dot sony dot com  2008-06-25 13:04 -------
Created an attachment (id=2797)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=2797&action=view)
PATCH 


-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=6654

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/6654] realpath contains off-by-one errors

[halesh dot sadashiv at ap dot sony dot com]

------- Additional Comments From halesh dot sadashiv at ap dot sony dot com  2008-06-25 13:04 -------
Created an attachment (id=2796)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=2796&action=view)
PATHCH 


-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=6654

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/6654] realpath contains off-by-one errors

[halesh dot sadashiv at ap dot sony dot com]

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
Attachment #2796 is|0                           |1
           obsolete|                            |


http://sourceware.org/bugzilla/show_bug.cgi?id=6654

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/6654] realpath contains off-by-one errors

[halesh dot sadashiv at ap dot sony dot com]

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
Attachment #2797 is|0                           |1
           obsolete|                            |


http://sourceware.org/bugzilla/show_bug.cgi?id=6654

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/6654] realpath contains off-by-one errors

[drepper at redhat dot com]

------- Additional Comments From drepper at redhat dot com  2008-06-26 00:01 -------
Your test program is wrong (the buffer must be PATH_MAX in size) and the patch
is wrong (you cut out the last character).  There is also no problem on any
platform defining PATH_MAX (incl Linux) since readlink can never return a value
> PATH_MAX-1.

There is a potential problem on platforms without PATH_MAX (i.e., Hurd).  So I
added a patch.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED


http://sourceware.org/bugzilla/show_bug.cgi?id=6654

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/6654] realpath contains off-by-one errors

[john at calva dot com]

------- Additional Comments From john at calva dot com  2008-06-26 07:51 -------
Subject: Re:  realpath contains off-by-one errors

drepper at redhat dot com wrote:
> ------- Additional Comments From drepper at redhat dot com  2008-06-26 00:01 -------
> Your test program is wrong (the buffer must be PATH_MAX in size) and the patch
> is wrong (you cut out the last character).  There is also no problem on any
> platform defining PATH_MAX (incl Linux) since readlink can never return a value
>   
>> PATH_MAX-1.
>>     
>
> There is a potential problem on platforms without PATH_MAX (i.e., Hurd).  So I
> added a patch.
>
>   
Aha:

/usr/include/linux/limits.h:#define PATH_MAX        4096	/* # chars in a path name including nul */

So, since readlink doesn't return the null the max return from readlink 
is (PATH_MAX-1) bytes, as you say.

(Your patch is to call readlink with (path_max -1), right?)



-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=6654

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/6654] realpath contains off-by-one errors

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=6654

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security-

-- 
You are receiving this mail because:
You are on the CC list for the bug.