[PATCH] shell: Out-of-bounds access
Gedare Bloom
gedare at rtems.org
Thu Sep 5 16:18:46 UTC 2013
In case the length of cwd path plus the userScriptName exceeds
PATH_MAX (255), the strncat calls will overflow scriptFile. Also
check for getcwd failure.
---
cpukit/libmisc/shell/shell_script.c | 23 +++++++++++++++--------
1 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/cpukit/libmisc/shell/shell_script.c b/cpukit/libmisc/shell/shell_script.c
index 98d0a5b..c055e3f 100644
--- a/cpukit/libmisc/shell/shell_script.c
+++ b/cpukit/libmisc/shell/shell_script.c
@@ -50,6 +50,7 @@ static int findOnPATH(
)
{
int sc;
+ char *cwd;
/*
* If the user script name starts with a / assume it is a fully
@@ -65,14 +66,20 @@ static int findOnPATH(
*/
/* XXX should use strncat but what is the limit? */
- getcwd( scriptFile, PATH_MAX );
- strncat( scriptFile, "/", PATH_MAX );
- strncat(
- scriptFile,
- ( (userScriptName[0] == '.' && userScriptName[1] == '/') ?
- &userScriptName[2] : userScriptName),
- PATH_MAX
- );
+ cwd = getcwd( scriptFile, PATH_MAX );
+ if ( cwd != NULL ) {
+ int cwdlen = strnlen( scriptFile, PATH_MAX );
+
+ strncat( scriptFile, "/", PATH_MAX - cwdlen );
+ strncat(
+ scriptFile,
+ ( (userScriptName[0] == '.' && userScriptName[1] == '/') ?
+ &userScriptName[2] : userScriptName),
+ PATH_MAX - cwdlen - 1
+ );
+ } else {
+ return -1;
+ }
}
sc = access( scriptFile, R_OK );
--
1.7.1
More information about the devel
mailing list