[Bug libc/31198] New: realpath allocates a buffer that may not fit a full path

["flibitijibibo at flibitijibibo dot com" <sourceware-bugzilla@sourceware.org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=31198

            Bug ID: 31198
           Summary: realpath allocates a buffer that may not fit a full
                    path
           Product: glibc
           Version: 2.36
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: flibitijibibo at flibitijibibo dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

Created attachment 15273
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15273&action=edit
Patch to replace strdup with malloc(PATH_MAX)

Consider the following example:

  extern char *somepath;
  char *path = realpath(somepath, NULL);
  strcat(path, "/");

It is common to append directory separators to paths, but when realpath
allocates the buffer the size cannot be determined from the outside. While the
application can provide its own buffer, it is reasonable for an application to
assume that a path buffer will be able to fit a full path string even if it
gets modified after the call is made. As a result, modifications to the
strdup'd return value may result in a buffer overwrite.

A good replacement for the strdup allocation in realpath would be to always
allocate a buffer of PATH_MAX size, regardless of the realpath size, so that
modifications to the return value will always fit. I've attached a patch that
does this.

This would fix a crash in the Steamworks SDK, which prior to 2017 always
assumed that the buffer returned by realpath had room to append a directory
separator to the end.

-- 
You are receiving this mail because:
You are on the CC list for the bug.