diff options
author | Gedare Bloom <gedare@rtems.org> | 2013-09-05 12:15:27 -0400 |
---|---|---|
committer | Gedare Bloom <gedare@rtems.org> | 2013-09-05 12:15:27 -0400 |
commit | 96654dcc1a6e6f7133b8b1b17fe3e7aaccfe58a1 (patch) | |
tree | 19e110fdf6474d653535a1a0320e40c01a81572a | |
parent | IMFS: Resource leak (diff) | |
download | rtems-96654dcc1a6e6f7133b8b1b17fe3e7aaccfe58a1.tar.bz2 |
shell: Out-of-bounds access
In case the length of cwd path plus the userScriptName exceeds
PATH_MAX (255), the strncat calls will overflow scriptFile. Also
check for getcwd failure.
-rw-r--r-- | cpukit/libmisc/shell/shell_script.c | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/cpukit/libmisc/shell/shell_script.c b/cpukit/libmisc/shell/shell_script.c index 98d0a5b8c8..c055e3f8d8 100644 --- a/cpukit/libmisc/shell/shell_script.c +++ b/cpukit/libmisc/shell/shell_script.c @@ -50,6 +50,7 @@ static int findOnPATH( ) { int sc; + char *cwd; /* * If the user script name starts with a / assume it is a fully @@ -65,14 +66,20 @@ static int findOnPATH( */ /* XXX should use strncat but what is the limit? */ - getcwd( scriptFile, PATH_MAX ); - strncat( scriptFile, "/", PATH_MAX ); - strncat( - scriptFile, - ( (userScriptName[0] == '.' && userScriptName[1] == '/') ? - &userScriptName[2] : userScriptName), - PATH_MAX - ); + cwd = getcwd( scriptFile, PATH_MAX ); + if ( cwd != NULL ) { + int cwdlen = strnlen( scriptFile, PATH_MAX ); + + strncat( scriptFile, "/", PATH_MAX - cwdlen ); + strncat( + scriptFile, + ( (userScriptName[0] == '.' && userScriptName[1] == '/') ? + &userScriptName[2] : userScriptName), + PATH_MAX - cwdlen - 1 + ); + } else { + return -1; + } } sc = access( scriptFile, R_OK ); |