From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 121918 invoked by alias); 7 Jun 2018 12:43:27 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Received: (qmail 121855 invoked by uid 89); 7 Jun 2018 12:43:26 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.3 required=5.0 tests=AWL,BAYES_00,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy= X-HELO: mx1.redhat.com Subject: Re: [PATCH] Improve DST handling (Bug 23102, Bug 21942, Bug 18018, Bug, 23259, CVE-2011-0536 ). To: Carlos O'Donell , GNU C Library , Andreas Schwab , "Dmitry V. Levin" References: <9cf43cb6-511c-ec6c-9a87-e89a467238d9@redhat.com> From: Florian Weimer Message-ID: Date: Thu, 07 Jun 2018 12:43:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-SW-Source: 2018-06/txt/msg00135.txt.bz2 On 06/06/2018 10:18 PM, Carlos O'Donell wrote: > + if (__glibc_unlikely (__libc_enable_secure) > + && ((input[len] != '\0' && input[len] != '/' > + && input[len] != ':') > + || (input != start + 1 > + || (input > start + 2 && input[-2] != ':')))) Is the ':' check really the right thing here? Didn't we change the code so that _dl_dst_substitute is only called with a single component as an argument? fillin_rpath splits the string at :/:. The callers in dl-deps.c I also suggest to use struct alloc_buffer, to make the code more obviously correct. Thanks, Florian