From 96654dcc1a6e6f7133b8b1b17fe3e7aaccfe58a1 Mon Sep 17 00:00:00 2001
From: Gedare Bloom <gedare@rtems.org>
Date: Thu, 5 Sep 2013 12:15:27 -0400
Subject: shell: Out-of-bounds access

In case the length of cwd path plus the userScriptName exceeds
PATH_MAX (255), the strncat calls will overflow scriptFile. Also
check for getcwd failure.
---
 cpukit/libmisc/shell/shell_script.c | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/cpukit/libmisc/shell/shell_script.c b/cpukit/libmisc/shell/shell_script.c
index 98d0a5b8c8..c055e3f8d8 100644
--- a/cpukit/libmisc/shell/shell_script.c
+++ b/cpukit/libmisc/shell/shell_script.c
@@ -50,6 +50,7 @@ static int findOnPATH(
 )
 {
   int sc;
+  char *cwd;
 
   /*
    *  If the user script name starts with a / assume it is a fully
@@ -65,14 +66,20 @@ static int findOnPATH(
      */
 
     /* XXX should use strncat but what is the limit? */
-    getcwd( scriptFile, PATH_MAX );
-    strncat( scriptFile, "/", PATH_MAX );
-    strncat(
-      scriptFile,
-      ( (userScriptName[0] == '.' && userScriptName[1] == '/') ?
-         &userScriptName[2] : userScriptName),
-      PATH_MAX
-    );
+    cwd = getcwd( scriptFile, PATH_MAX );
+    if ( cwd != NULL ) {
+      int cwdlen = strnlen( scriptFile, PATH_MAX );
+
+      strncat( scriptFile, "/", PATH_MAX - cwdlen );
+      strncat(
+          scriptFile,
+          ( (userScriptName[0] == '.' && userScriptName[1] == '/') ?
+            &userScriptName[2] : userScriptName),
+          PATH_MAX - cwdlen - 1
+          );
+    } else {
+      return -1;
+    }
   }
 
   sc = access( scriptFile, R_OK );
-- 
cgit v1.2.3