public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/31198] New: realpath allocates a buffer that may not fit a full path
@ 2023-12-30 0:36 flibitijibibo at flibitijibibo dot com
2023-12-30 0:46 ` [Bug libc/31198] " schwab@linux-m68k.org
0 siblings, 1 reply; 2+ messages in thread
From: flibitijibibo at flibitijibibo dot com @ 2023-12-30 0:36 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31198
Bug ID: 31198
Summary: realpath allocates a buffer that may not fit a full
path
Product: glibc
Version: 2.36
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: flibitijibibo at flibitijibibo dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Created attachment 15273
--> https://sourceware.org/bugzilla/attachment.cgi?id=15273&action=edit
Patch to replace strdup with malloc(PATH_MAX)
Consider the following example:
extern char *somepath;
char *path = realpath(somepath, NULL);
strcat(path, "/");
It is common to append directory separators to paths, but when realpath
allocates the buffer the size cannot be determined from the outside. While the
application can provide its own buffer, it is reasonable for an application to
assume that a path buffer will be able to fit a full path string even if it
gets modified after the call is made. As a result, modifications to the
strdup'd return value may result in a buffer overwrite.
A good replacement for the strdup allocation in realpath would be to always
allocate a buffer of PATH_MAX size, regardless of the realpath size, so that
modifications to the return value will always fit. I've attached a patch that
does this.
This would fix a crash in the Steamworks SDK, which prior to 2017 always
assumed that the buffer returned by realpath had room to append a directory
separator to the end.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug libc/31198] realpath allocates a buffer that may not fit a full path
2023-12-30 0:36 [Bug libc/31198] New: realpath allocates a buffer that may not fit a full path flibitijibibo at flibitijibibo dot com
@ 2023-12-30 0:46 ` schwab@linux-m68k.org
0 siblings, 0 replies; 2+ messages in thread
From: schwab@linux-m68k.org @ 2023-12-30 0:46 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31198
Andreas Schwab <schwab@linux-m68k.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |INVALID
--- Comment #1 from Andreas Schwab <schwab@linux-m68k.org> ---
Just use realloc.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-12-30 0:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-12-30 0:36 [Bug libc/31198] New: realpath allocates a buffer that may not fit a full path flibitijibibo at flibitijibibo dot com
2023-12-30 0:46 ` [Bug libc/31198] " schwab@linux-m68k.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).