1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
From 769f53598e781ffc89191520f3f8a93cb58db91f Mon Sep 17 00:00:00 2001
From: Rich Felker <dalias@aerifal.cx>
Date: Mon, 2 Jan 2017 19:47:12 -0500
Subject: [PATCH 2/2] make globfree safe after failed glob from over-length
argument
commit 0dc99ac413d8bc054a2e95578475c7122455eee8 added input length
checking to avoid unsafe VLA allocation, but put it in the wrong
place, before the glob_t structure was zeroed out. while POSIX isn't
clear on whether it's permitted to call globfree after glob failed
with GLOB_NOSPACE, making it safe is clearly better than letting
uninitialized pointers get passed to free in non-conforming callers.
while we're fixing this, change strlen check to the idiomatic strnlen
version to avoid unbounded input scanning before returning an error.
---
src/regex/glob.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/regex/glob.c b/src/regex/glob.c
index 6affee040c31..5b6ff1247f43 100644
--- a/src/regex/glob.c
+++ b/src/regex/glob.c
@@ -169,8 +169,6 @@ int glob(const char *restrict pat, int flags, int (*errfunc)(const char *path, i
d = "";
}
- if (strlen(p) > PATH_MAX) return GLOB_NOSPACE;
-
if (!errfunc) errfunc = ignore_err;
if (!(flags & GLOB_APPEND)) {
@@ -179,6 +177,8 @@ int glob(const char *restrict pat, int flags, int (*errfunc)(const char *path, i
g->gl_pathv = NULL;
}
+ if (strnlen(p, PATH_MAX+1) > PATH_MAX) return GLOB_NOSPACE;
+
if (*p) error = match_in_dir(d, p, flags, errfunc, &tail);
if (error == GLOB_NOSPACE) {
freelist(&head);
--
2.8.3
|