[openssh-commits] [openssh] 01/02: Return ERANGE from getcwd() if buffer size is 1.
git+noreply at mindrot.org
git+noreply at mindrot.org
Thu Jul 14 19:23:47 AEST 2022
This is an automated email from the git hooks/post-receive script.
dtucker pushed a commit to branch master
in repository openssh.
commit 527cb43fa1b4e55df661feabbac51b8e608b6519
Author: Darren Tucker <dtucker at dtucker.net>
Date: Thu Jul 14 11:22:08 2022 +1000
Return ERANGE from getcwd() if buffer size is 1.
If getcwd() is supplied a buffer size of exactly 1 and a path of "/", it
could result in a nul byte being written out of array bounds. POSIX says
it should return ERANGE if the path will not fit in the available buffer
(with terminating nul). 1 byte cannot fit any possible path with its nul,
so immediately return ERANGE in that case.
OpenSSH never uses getcwd() with this buffer size, and all current
(and even quite old) platforms that we are currently known to work
on have a native getcwd() so this code is not used on those anyway.
Reported by Qualys, ok djm@
---
openbsd-compat/getcwd.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/openbsd-compat/getcwd.c b/openbsd-compat/getcwd.c
index 2d56bae1..a904291a 100644
--- a/openbsd-compat/getcwd.c
+++ b/openbsd-compat/getcwd.c
@@ -70,9 +70,12 @@ getcwd(char *pt, size_t size)
*/
if (pt) {
ptsize = 0;
- if (!size) {
+ if (size == 0) {
errno = EINVAL;
return (NULL);
+ } else if (size == 1) {
+ errno = ERANGE;
+ return (NULL);
}
ept = pt + size;
} else {
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list