Author: jh
Date: Sun Feb 28 13:31:29 2010
New Revision: 204447
URL: http://svn.freebsd.org/changeset/base/204447
Log:
In _gettemp(), check that the length of the path doesn't exceed
MAXPATHLEN. Otherwise the path name (or part of it) may not fit to
carrybuf causing a buffer overflow.
PR: bin/140228
Suggested by: jilles
Modified:
head/lib/libc/stdio/mktemp.c
Modified: head/lib/libc/stdio/mktemp.c
==============================================================================
--- head/lib/libc/stdio/mktemp.c Sun Feb 28 11:27:03 2010
(r204446)
+++ head/lib/libc/stdio/mktemp.c Sun Feb 28 13:31:29 2010
(r204447)
@@ -116,6 +116,10 @@ _gettemp(path, doopen, domkdir, slen)
for (trv = path; *trv != '\0'; ++trv)
;
+ if (trv - path >= MAXPATHLEN) {
+ errno = ENAMETOOLONG;
+ return (0);
+ }
trv -= slen;
suffp = trv;
--trv;
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
