RepoMirrors
/
openssh
mirror of git://anongit.mindrot.org/openssh.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Return ERANGE from getcwd() if buffer size is 1. 

If getcwd() is supplied a buffer size of exactly 1 and a path of "/", it
could result in a nul byte being written out of array bounds.  POSIX says
it should return ERANGE if the path will not fit in the available buffer
(with terminating nul). 1 byte cannot fit any possible path with its nul,
so immediately return ERANGE in that case.

OpenSSH never uses getcwd() with this buffer size, and all current
(and even quite old) platforms that we are currently known to work
on have a native getcwd() so this code is not used on those anyway.
Reported by Qualys, ok djm@
This commit is contained in:
Darren Tucker 2022-07-14 11:22:08 +10:00
parent 36857fefd8
commit 527cb43fa1
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
openbsd-compat/getcwd.c
View File

@ -70,9 +70,12 @@ getcwd(char *pt, size_t size)
*/
if (pt) {
ptsize = 0;
if (!size) {
if (size == 0) {
errno = EINVAL;
return (NULL);
} else if (size == 1) {
errno = ERANGE;
return (NULL);
}
ept = pt + size;
} else {