Bug 229433 - overflow at realpath()
Summary: overflow at realpath()
Status: Closed Not A Bug
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-30 18:15 UTC by Dhiraj
Modified: 2018-10-05 20:41 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dhiraj 2018-06-30 18:15:18 UTC 
File: https://github.com/freebsd/freebsd/blob/master/contrib/mdocml/mandocdb.c#L613

i.e

if (realpath(path, buf) == NULL) {

This function does not protect against buffer overflows, and some implementations can overflow internally.

Ensure that the destination buffer is at least of size MAXPATHLEN, andto protect against implementation problems, the input argument should also be checked to
ensure it is no larger than MAXPATHLEN.

realpath() output buffers should be large enough to handle the maximum-size possible result from path manipulation functions, at least of size PATH_MAX
Comment 1 Yuri Pankov 2018-10-05 19:23:01 UTC 
There is no possible overflow in the line you are pointing out:
- there's no user input involved
- path value comes from fts_read(3)
- buf is of PATH_MAX size
Comment 2 Conrad Meyer freebsd_committer freebsd_triage 2018-10-05 20:41:38 UTC 
In addition to the reasons given by Yuri, our realpath does not overflow a PATH_MAX output buffer.