Date: Thu, 12 Jul 2018 20:14:44 -0400 From: Rich Felker <dalias@...c.org> To: musl@...ts.openwall.com Subject: Re: overflow() at stdlib.h On Thu, Jul 12, 2018 at 07:55:56PM +0530, m0rtal f!w wrote: > Team, > > File: stdlib.h#L:113 > > i.e > char *realpath (const char *__restrict, char *__restrict); > > According to the documentation of realpath() the output buffer needs to be > at least of size PATH_MAX specifying output buffers large enough to handle > the maximum-size possible result from path manipulation functions. (In that > instance, buf's size comes from uv__fs_pathmax_size(). That function > attempts to use pathconf(path, _PC_PATH_MAX) as noted in the realpath(3) > docs) There is no provision in the specification of realpath for use of pathconf or other facilities for determining a maximum buffer size; the resolved_name buffer argument must either point to an array of at least PATH_MAX size, or must be a null pointer, in which case realpath will allocate storage. Only the latter option when the implementation does not define PATH_MAX, but musl always defines PATH_MAX. > But over here uv__fs_pathmax_size() nor pathconf(path, _PC_PATH_MAX) is > used. I don't understand what you mean by "is used" here. The only file you cited is header declarations only, no code, and the declaration is exactly the only thing it's permitted to be (the one mandated by the standard). > Passing an inadequately-sized output buffer to a path manipulation function > can result in a buffer overflow. Such functions include realpath() > readlink() PathAppend() and others. > > Request team to have a look and validate. If an application is not passing an adequately-sized (note: this means PATH_MAX, not anything else!) buffer, that is an application bug and the application has undefined behavior. Rich
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.