Changeset 96654dc in rtems


Ignore:
Timestamp:
Sep 5, 2013, 4:15:27 PM (6 years ago)
Author:
Gedare Bloom <gedare@…>
Branches:
4.11, master
Children:
551468c
Parents:
a6d35256
Message:

shell: Out-of-bounds access

In case the length of cwd path plus the userScriptName exceeds
PATH_MAX (255), the strncat calls will overflow scriptFile. Also
check for getcwd failure.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • cpukit/libmisc/shell/shell_script.c

    ra6d35256 r96654dc  
    5151{
    5252  int sc;
     53  char *cwd;
    5354
    5455  /*
     
    6667
    6768    /* XXX should use strncat but what is the limit? */
    68     getcwd( scriptFile, PATH_MAX );
    69     strncat( scriptFile, "/", PATH_MAX );
    70     strncat(
    71       scriptFile,
    72       ( (userScriptName[0] == '.' && userScriptName[1] == '/') ?
    73          &userScriptName[2] : userScriptName),
    74       PATH_MAX
    75     );
     69    cwd = getcwd( scriptFile, PATH_MAX );
     70    if ( cwd != NULL ) {
     71      int cwdlen = strnlen( scriptFile, PATH_MAX );
     72
     73      strncat( scriptFile, "/", PATH_MAX - cwdlen );
     74      strncat(
     75          scriptFile,
     76          ( (userScriptName[0] == '.' && userScriptName[1] == '/') ?
     77            &userScriptName[2] : userScriptName),
     78          PATH_MAX - cwdlen - 1
     79          );
     80    } else {
     81      return -1;
     82    }
    7683  }
    7784
Note: See TracChangeset for help on using the changeset viewer.