Bug 239700 - cap_fileargs(3) is not robust against long paths
Summary: cap_fileargs(3) is not robust against long paths
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: Mariusz Zaborski
Depends on:
Reported: 2019-08-07 16:04 UTC by Mark Johnston
Modified: 2021-01-20 17:48 UTC (History)
4 users (show)

See Also:

patch (606 bytes, patch)
2019-08-07 16:19 UTC, Mariusz Zaborski
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Johnston freebsd_committer 2019-08-07 16:04:08 UTC
$ readelf -r $(perl -e "print 'a' x 100000")
Assertion failed: (nvl->nvl_error == 0), function nvlist_find, file /usr/home/markj/src/freebsd-dev/sys/contrib/libnv/nvlist.c, line 341.
Abort trap (core dumped)
Comment 1 Mariusz Zaborski freebsd_committer 2019-08-07 16:19:39 UTC
Created attachment 206337 [details]

This patch should fix the problem for you.
Does it work for you?
Comment 2 Mark Johnston freebsd_committer 2019-08-07 16:27:46 UTC
It does, thanks.  I think it should fail if strlen(argv[i]) >= MAXPATHLEN, since MAXPATHLEN is supposed to be a buffer size, not a string length.
Comment 3 commit-hook freebsd_committer 2019-08-07 19:30:59 UTC
A commit references this bug:

Author: oshogbo
Date: Wed Aug  7 19:30:33 UTC 2019
New revision: 350695
URL: https://svnweb.freebsd.org/changeset/base/350695

  cap_filergs: limit size of the file name

  The limit of the name in fileargs is twice the size of the MAXPATH.
  The nvlist will not add an element with the longer name.
  We can detect at this point that the path is too big, and simple return
  the same error as open(2) would.

  PR:		239700
  Reported by:	markj
  Tested by:	markj
  MFC after:	2 weeks