public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "flibitijibibo at flibitijibibo dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug libc/31198] New: realpath allocates a buffer that may not fit a full path Date: Sat, 30 Dec 2023 00:36:38 +0000 [thread overview] Message-ID: <bug-31198-131@http.sourceware.org/bugzilla/> (raw) https://sourceware.org/bugzilla/show_bug.cgi?id=31198 Bug ID: 31198 Summary: realpath allocates a buffer that may not fit a full path Product: glibc Version: 2.36 Status: UNCONFIRMED Severity: normal Priority: P2 Component: libc Assignee: unassigned at sourceware dot org Reporter: flibitijibibo at flibitijibibo dot com CC: drepper.fsp at gmail dot com Target Milestone: --- Created attachment 15273 --> https://sourceware.org/bugzilla/attachment.cgi?id=15273&action=edit Patch to replace strdup with malloc(PATH_MAX) Consider the following example: extern char *somepath; char *path = realpath(somepath, NULL); strcat(path, "/"); It is common to append directory separators to paths, but when realpath allocates the buffer the size cannot be determined from the outside. While the application can provide its own buffer, it is reasonable for an application to assume that a path buffer will be able to fit a full path string even if it gets modified after the call is made. As a result, modifications to the strdup'd return value may result in a buffer overwrite. A good replacement for the strdup allocation in realpath would be to always allocate a buffer of PATH_MAX size, regardless of the realpath size, so that modifications to the return value will always fit. I've attached a patch that does this. This would fix a crash in the Steamworks SDK, which prior to 2017 always assumed that the buffer returned by realpath had room to append a directory separator to the end. -- You are receiving this mail because: You are on the CC list for the bug.
next reply other threads:[~2023-12-30 0:36 UTC|newest] Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-12-30 0:36 flibitijibibo at flibitijibibo dot com [this message] 2023-12-30 0:46 ` [Bug libc/31198] " schwab@linux-m68k.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-31198-131@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).