sh: Fix bss-based buffer overflow in . builtin.
authorPeter Avalos <pavalos@dragonflybsd.org>
Sun, 21 Aug 2011 19:27:39 +0000 (12:27 -0700)
committerPeter Avalos <pavalos@dragonflybsd.org>
Sun, 21 Aug 2011 20:49:09 +0000 (13:49 -0700)
If the length of a directory in PATH together with the given filename
exceeded FILENAME_MAX (which may happen even for pathnames that work), a
static buffer was overflown.

The static buffer is unnecessary, we can use the stalloc() stack.

Obtained-from:     FreeBSD 222173

bin/sh/main.c

index 2ed869a..6629078 100644 (file)
@@ -35,7 +35,7 @@
  *
  * @(#) Copyright (c) 1991, 1993 The Regents of the University of California.  All rights reserved.
  * @(#)main.c  8.6 (Berkeley) 5/28/95
- * $FreeBSD: src/bin/sh/main.c,v 1.47 2011/05/08 17:40:10 jilles Exp $
+ * $FreeBSD: src/bin/sh/main.c,v 1.48 2011/05/22 12:12:28 jilles Exp $
  */
 
 #include <stdio.h>
@@ -275,7 +275,6 @@ readcmdfile(const char *name)
 static const char *
 find_dot_file(const char *basename)
 {
-       static char localname[FILENAME_MAX+1];
        char *fullname;
        const char *path = pathval();
        struct stat statb;
@@ -285,10 +284,14 @@ find_dot_file(const char *basename)
                return basename;
 
        while ((fullname = padvance(&path, basename)) != NULL) {
-               strcpy(localname, fullname);
+               if ((stat(fullname, &statb) == 0) && S_ISREG(statb.st_mode)) {
+                       /*
+                        * Don't bother freeing here, since it will
+                        * be freed by the caller.
+                        */
+                       return fullname;
+               }
                stunalloc(fullname);
-               if ((stat(fullname, &statb) == 0) && S_ISREG(statb.st_mode))
-                       return localname;
        }
        return basename;
 }