>Number:         25680
>Category:       bin
>Synopsis:       whereis/which return invalid information with huge path
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun May 23 01:58:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Christian Biere
>Release:        NetBSD 2.0E
>Organization:
>Environment:
System: NetBSD cyclonus 2.0E NetBSD 2.0E (STARSCREAM) #0: Sat Apr 24 19:43:57 CEST 2004 bin@cyclonus:/usr/obj/sys/arch/i386/compile/STARSCREAM i386
>Description:

/usr/bin/{whereis,which} do not check whether the path was truncated and
may therefore return false information e.g., <path>/rm when asking for
rmdir. All shells I've tested (sh, csh, ksh, bash) will not resp. fail to
execute the truncated pathname - probably because they don't truncate the
pathname and exec*() fail with errno set to ENAMETOOLONG.

>How-To-Repeat:

$ PATH=${PATH+$PATH:}`jot -s '' -c 1017 / /`bin
$ which -a rmdir

>Fix:

Index: whereis.c
===================================================================
RCS file: /cvsroot/src/usr.bin/whereis/whereis.c,v
retrieving revision 1.16
diff -u -r1.16 whereis.c
--- whereis.c	1 Apr 2004 22:14:48 -0000	1.16
+++ whereis.c	23 May 2004 01:24:08 -0000
@@ -121,7 +121,9 @@
 			} else
 				if (strlen(t) == 0)
 					t = ".";
-			(void)snprintf(path, sizeof(path), "%s/%s", t, *argv);
+			len = snprintf(path, sizeof(path), "%s/%s", t, *argv);
+			if (len >= sizeof(path))
+				continue;
 			if (stat(path, &sb) == -1)
 				continue;
 			if (!S_ISREG(sb.st_mode))
>Release-Note:
>Audit-Trail:
>Unformatted: