[rtems commit] shell: Out-of-bounds access
Gedare Bloom
gedare at rtems.org
Thu Sep 5 19:07:52 UTC 2013
Module: rtems
Branch: master
Commit: 96654dcc1a6e6f7133b8b1b17fe3e7aaccfe58a1
Changeset: http://git.rtems.org/rtems/commit/?id=96654dcc1a6e6f7133b8b1b17fe3e7aaccfe58a1
Author: Gedare Bloom <gedare at rtems.org>
Date: Thu Sep 5 12:15:27 2013 -0400
shell: Out-of-bounds access
In case the length of cwd path plus the userScriptName exceeds
PATH_MAX (255), the strncat calls will overflow scriptFile. Also
check for getcwd failure.
---
cpukit/libmisc/shell/shell_script.c | 23 +++++++++++++++--------
1 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/cpukit/libmisc/shell/shell_script.c b/cpukit/libmisc/shell/shell_script.c
index 98d0a5b..c055e3f 100644
--- a/cpukit/libmisc/shell/shell_script.c
+++ b/cpukit/libmisc/shell/shell_script.c
@@ -50,6 +50,7 @@ static int findOnPATH(
)
{
int sc;
+ char *cwd;
/*
* If the user script name starts with a / assume it is a fully
@@ -65,14 +66,20 @@ static int findOnPATH(
*/
/* XXX should use strncat but what is the limit? */
- getcwd( scriptFile, PATH_MAX );
- strncat( scriptFile, "/", PATH_MAX );
- strncat(
- scriptFile,
- ( (userScriptName[0] == '.' && userScriptName[1] == '/') ?
- &userScriptName[2] : userScriptName),
- PATH_MAX
- );
+ cwd = getcwd( scriptFile, PATH_MAX );
+ if ( cwd != NULL ) {
+ int cwdlen = strnlen( scriptFile, PATH_MAX );
+
+ strncat( scriptFile, "/", PATH_MAX - cwdlen );
+ strncat(
+ scriptFile,
+ ( (userScriptName[0] == '.' && userScriptName[1] == '/') ?
+ &userScriptName[2] : userScriptName),
+ PATH_MAX - cwdlen - 1
+ );
+ } else {
+ return -1;
+ }
}
sc = access( scriptFile, R_OK );
More information about the vc
mailing list