From owner-freebsd-bugs@FreeBSD.ORG Fri Nov 6 18:10:03 2009 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2E5A106566B for ; Fri, 6 Nov 2009 18:10:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9834A8FC18 for ; Fri, 6 Nov 2009 18:10:03 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nA6IA39s004336 for ; Fri, 6 Nov 2009 18:10:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nA6IA36f004335; Fri, 6 Nov 2009 18:10:03 GMT (envelope-from gnats) Date: Fri, 6 Nov 2009 18:10:03 GMT Message-Id: <200911061810.nA6IA36f004335@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Jilles Tjoelker Cc: Subject: Re: bin/140228: [patch] mktemp(1) buffer overrun X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jilles Tjoelker List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Nov 2009 18:10:03 -0000 The following reply was made to PR bin/140228; it has been noted by GNATS. From: Jilles Tjoelker To: bug-followup@FreeBSD.org, jeremyhu@apple.com Cc: Subject: Re: bin/140228: [patch] mktemp(1) buffer overrun Date: Fri, 6 Nov 2009 19:05:48 +0100 It seems more reasonable to have _gettemp() check the length of its input string, and fail with ENAMETOOLONG if it is longer than MAXPATHLEN. Your patch relies on the kernel to reject names longer than MAXPATHLEN with ENAMETOOLONG to avoid it reading past the end of carrybuf (in obscure cases). -- Jilles Tjoelker