44 lines
1.4 KiB
Diff
44 lines
1.4 KiB
Diff
From 527cb43fa1b4e55df661feabbac51b8e608b6519 Mon Sep 17 00:00:00 2001
|
|
From: Darren Tucker <dtucker@dtucker.net>
|
|
Date: Thu, 14 Jul 2022 11:22:08 +1000
|
|
Subject: Return ERANGE from getcwd() if buffer size is 1.
|
|
|
|
If getcwd() is supplied a buffer size of exactly 1 and a path of "/", it
|
|
could result in a nul byte being written out of array bounds. POSIX says
|
|
it should return ERANGE if the path will not fit in the available buffer
|
|
(with terminating nul). 1 byte cannot fit any possible path with its nul,
|
|
so immediately return ERANGE in that case.
|
|
|
|
OpenSSH never uses getcwd() with this buffer size, and all current
|
|
(and even quite old) platforms that we are currently known to work
|
|
on have a native getcwd() so this code is not used on those anyway.
|
|
Reported by Qualys, ok djm@
|
|
|
|
Reference:https://anongit.mindrot.org/openssh.git/patch/?id=527cb43fa1b4e55df661feabbac51b8e608b6519
|
|
Conflict:NA
|
|
---
|
|
openbsd-compat/getcwd.c | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/openbsd-compat/getcwd.c b/openbsd-compat/getcwd.c
|
|
index e4f7f5a..a403a01 100644
|
|
--- a/openbsd-compat/getcwd.c
|
|
+++ b/openbsd-compat/getcwd.c
|
|
@@ -71,9 +71,12 @@ getcwd(char *pt, size_t size)
|
|
*/
|
|
if (pt) {
|
|
ptsize = 0;
|
|
- if (!size) {
|
|
+ if (size == 0) {
|
|
errno = EINVAL;
|
|
return (NULL);
|
|
+ } else if (size == 1) {
|
|
+ errno = ERANGE;
|
|
+ return (NULL);
|
|
}
|
|
ept = pt + size;
|
|
} else {
|
|
--
|
|
2.33.0
|
|
|