NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

bin/39746: Too small buffer for long TMPDIR and unlinked-file in src/usr.bin/config/main.c

>Number:         39746
>Category:       bin
>Synopsis:       Too small buffer for long TMPDIR and unlinked-file in 
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Oct 16 05:05:00 +0000 2008
>Originator:     Gao Ya'nan
>Release:        NetBSD-current and NetBSD-4.0
NetBSD 4.0 NetBSD 4.0 (GENERIC) #0: Sun Dec 16 00:20:10 PST 

main(int argc, char **argv)
        char *p, cname[20];
        const char *last_component;

So, cname only takes 20 bytes.

                /* Open temporary configuration file */
                tmpdir = getenv("TMPDIR");
                if (tmpdir == NULL)
                        tmpdir = "/tmp";
                snprintf(cname, sizeof(cname), "%s/config.tmp.XXXXXX", tmpdir);
                cfd = mkstemp(cname);
                if (cfd == -1)
                        err(EXIT_FAILURE, "Cannot create `%s'", cname);

                printf("Using configuration data embedded in kernel...\n");
                if (!extract_config(conffile, cname, cfd))
                        errx(EXIT_FAILURE, "%s does not contain embedded "
                            "configuration data", conffile);

                removeit = 1;

First, if $TMPDIR is more than 7 bytes, 'XXXXXX' will be lost, and if $TMPDIR 
is longer enough, full name will be truncated

Second, extract_config() returns with 0, there will be an unlink-ed file in 
TMPDIR or above directory.

TMPDIR=/mnt/averylongtmpdirforconfig config -b /mnt/build netbsd
1, change the size of cname to MAXPATHLEN;
2, unlinked the file if extract_config returns with 0.

Home | Main Index | Thread Index | Old Index