Bug 239700

Summary: cap_fileargs(3) is not robust against long paths
Product: Base System Reporter: Mark Johnston <markj>
Component: binAssignee: Mariusz Zaborski <oshogbo>
Status: In Progress ---    
Severity: Affects Only Me CC: cem, emaste, kevans, oshogbo
Priority: ---    
Version: CURRENT   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch none

Description Mark Johnston freebsd_committer 2019-08-07 16:04:08 UTC
$ readelf -r $(perl -e "print 'a' x 100000")
Assertion failed: (nvl->nvl_error == 0), function nvlist_find, file /usr/home/markj/src/freebsd-dev/sys/contrib/libnv/nvlist.c, line 341.
Abort trap (core dumped)
Comment 1 Mariusz Zaborski freebsd_committer 2019-08-07 16:19:39 UTC
Created attachment 206337 [details]
patch

This patch should fix the problem for you.
Does it work for you?
Comment 2 Mark Johnston freebsd_committer 2019-08-07 16:27:46 UTC
It does, thanks.  I think it should fail if strlen(argv[i]) >= MAXPATHLEN, since MAXPATHLEN is supposed to be a buffer size, not a string length.
Comment 3 commit-hook freebsd_committer 2019-08-07 19:30:59 UTC
A commit references this bug:

Author: oshogbo
Date: Wed Aug  7 19:30:33 UTC 2019
New revision: 350695
URL: https://svnweb.freebsd.org/changeset/base/350695

Log:
  cap_filergs: limit size of the file name

  The limit of the name in fileargs is twice the size of the MAXPATH.
  The nvlist will not add an element with the longer name.
  We can detect at this point that the path is too big, and simple return
  the same error as open(2) would.

  PR:		239700
  Reported by:	markj
  Tested by:	markj
  MFC after:	2 weeks

Changes:
  head/lib/libcasper/services/cap_fileargs/cap_fileargs.c