Subject: Re: rm(1) and cp(1) printable characters diff
To: None <tech-userlevel@netbsd.org>
From: Charles Blundell <cb@kittenz.org>
List: tech-userlevel
Date: 07/21/2003 17:59:37
on Mon, Jul 21, 2003 at 10:21:18AM -0400, Jan Schaumann wrote:
> > For what it's worth, this will overflow for certain large lengths of
> > src. I think the magic values start at strlen(src) = SIZE_T_MAX/4.
> > [(4*SIZE_T_MAX/4) + 1 = SIZE_T_MAX + 1 -> int overflow.]
> > This will result in less memory being allocated than is expected
> > when using gcc.
>
> Well, but given that SIZE_T_MAX >> MAXPATHLEN, this should never occur,
> right?
I see the below code where, explicitly, strlen(src) > MAXPATHLEN.
There does not appear to be any such assertion within rm.c,
so it seems strlen(src) > MAXPATHLEN is possible. Likewise
there is no SIZE_T_MAX/strlen(src) >= 4 check. i.e. no upper
limit is imposed on strlen(src) in these cases, except by something
platform dependent.
It is entirely possible that this function may be used in future
where input is accepted from a source with weaker platform dependent
limits, e.g., via stdin or a disk file.
Index: cp/cp.c
===================================================================
RCS file: /cvsroot/src/bin/cp/cp.c,v
retrieving revision 1.32
diff -u -r1.32 cp.c
--- cp/cp.c 16 Dec 2002 14:44:14 -0000 1.32
+++ cp/cp.c 20 Jul 2003 23:45:41 -0000
@@ -184,8 +188,12 @@
/* Save the target base in "to". */
target = argv[--argc];
- if (strlen(target) > MAXPATHLEN)
- errx(1, "%s: name too long", target);
+ if (strlen(target) > MAXPATHLEN) {
+ char *fn;
+ fn = printescaped(target);
+ errx(1, "%s: name too long", fn);
+ free(fn);
+ }
(void)strcpy(to.p_path, target);
to.p_end = to.p_path + strlen(to.p_path);
if (to.p_path == to.p_end) {