From owner-svn-src-stable-11@freebsd.org  Mon May 29 12:52:14 2017
Return-Path: <owner-svn-src-stable-11@freebsd.org>
Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A3D42CFE5C1;
 Mon, 29 May 2017 12:52:14 +0000 (UTC) (envelope-from kib@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7627A78481;
 Mon, 29 May 2017 12:52:14 +0000 (UTC) (envelope-from kib@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v4TCqD1B093202;
 Mon, 29 May 2017 12:52:13 GMT (envelope-from kib@FreeBSD.org)
Received: (from kib@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id v4TCqDDx093201;
 Mon, 29 May 2017 12:52:13 GMT (envelope-from kib@FreeBSD.org)
Message-Id: <201705291252.v4TCqDDx093201@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: kib set sender to kib@FreeBSD.org
 using -f
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Mon, 29 May 2017 12:52:13 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r319126 - stable/11/lib/libc/stdlib
X-SVN-Group: stable-11
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-11@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for only the 11-stable src tree
 <svn-src-stable-11.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-11/>
List-Post: <mailto:svn-src-stable-11@freebsd.org>
List-Help: <mailto:svn-src-stable-11-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 29 May 2017 12:52:14 -0000

Author: kib
Date: Mon May 29 12:52:13 2017
New Revision: 319126
URL: https://svnweb.freebsd.org/changeset/base/319126

Log:
  MFC r318298:
  Fix several buffer overflows in realpath(3), and other minor issues.
  
  PR:	219154

Modified:
  stable/11/lib/libc/stdlib/realpath.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/lib/libc/stdlib/realpath.c
==============================================================================
--- stable/11/lib/libc/stdlib/realpath.c	Mon May 29 12:51:02 2017	(r319125)
+++ stable/11/lib/libc/stdlib/realpath.c	Mon May 29 12:52:13 2017	(r319126)
@@ -51,10 +51,11 @@ char *
 realpath(const char * __restrict path, char * __restrict resolved)
 {
 	struct stat sb;
-	char *p, *q, *s;
-	size_t left_len, resolved_len;
+	char *p, *q;
+	size_t left_len, resolved_len, next_token_len;
 	unsigned symlinks;
-	int m, slen;
+	int m;
+	ssize_t slen;
 	char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX];
 
 	if (path == NULL) {
@@ -109,18 +110,19 @@ realpath(const char * __restrict path, c
 		 * and its length.
 		 */
 		p = strchr(left, '/');
-		s = p ? p : left + left_len;
-		if (s - left >= sizeof(next_token)) {
-			if (m)
-				free(resolved);
-			errno = ENAMETOOLONG;
-			return (NULL);
+
+		next_token_len = p ? p - left : left_len;
+		memcpy(next_token, left, next_token_len);
+		next_token[next_token_len] = '\0';
+
+		if (p != NULL) {
+			left_len -= next_token_len + 1;
+			memmove(left, p + 1, left_len + 1);
+		} else {
+			left[0] = '\0';
+			left_len = 0;
 		}
-		memcpy(next_token, left, s - left);
-		next_token[s - left] = '\0';
-		left_len -= s - left;
-		if (p != NULL)
-			memmove(left, s + 1, left_len + 1);
+
 		if (resolved[resolved_len - 1] != '/') {
 			if (resolved_len + 1 >= PATH_MAX) {
 				if (m)
@@ -173,19 +175,25 @@ realpath(const char * __restrict path, c
 				errno = ELOOP;
 				return (NULL);
 			}
-			slen = readlink(resolved, symlink, sizeof(symlink) - 1);
-			if (slen < 0) {
+			slen = readlink(resolved, symlink, sizeof(symlink));
+			if (slen <= 0 || slen >= sizeof(symlink)) {
 				if (m)
 					free(resolved);
+				if (slen < 0) {
+					/* keep errno from readlink(2) call */
+				} else if (slen == 0) {
+					errno = ENOENT;
+				} else {
+					errno = ENAMETOOLONG;
+				}
 				return (NULL);
 			}
 			symlink[slen] = '\0';
 			if (symlink[0] == '/') {
 				resolved[1] = 0;
 				resolved_len = 1;
-			} else if (resolved_len > 1) {
+			} else {
 				/* Strip the last path component. */
-				resolved[resolved_len - 1] = '\0';
 				q = strrchr(resolved, '/') + 1;
 				*q = '\0';
 				resolved_len = q - resolved;
@@ -209,7 +217,7 @@ realpath(const char * __restrict path, c
 				}
 				left_len = strlcat(symlink, left,
 				    sizeof(symlink));
-				if (left_len >= sizeof(left)) {
+				if (left_len >= sizeof(symlink)) {
 					if (m)
 						free(resolved);
 					errno = ENAMETOOLONG;