Date: Fri, 3 May 2024 08:29:30 GMT From: Xin LI <delphij@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 95032b58a1ad - main - Tighten boundary check in split(1) to prevent a potential buffer overflow. Message-ID: <202405030829.4438TUWK009949@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by delphij: URL: https://cgit.FreeBSD.org/src/commit/?id=95032b58a1ad0fde57518f17805ca721bb4563ad commit 95032b58a1ad0fde57518f17805ca721bb4563ad Author: Shawn Bayern <sbayern@law.fsu.edu> AuthorDate: 2024-05-03 07:46:18 +0000 Commit: Xin LI <delphij@FreeBSD.org> CommitDate: 2024-05-03 08:29:20 +0000 Tighten boundary check in split(1) to prevent a potential buffer overflow. Before increasing sufflen, make sure the current name plus two (including the terminating NUL character and the to-be-added character) does not exceed the fixed buffer length, and stop immediately if this would occur. In worst case scenario the code would write an nul character beyond the boundary, however it would be caught by open(2) and based on the memory layout, we do not believe this would constitute a security vulnerability. MFC after: 3 days --- usr.bin/split/split.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr.bin/split/split.c b/usr.bin/split/split.c index 0241637c93ad..2724f8a20cde 100644 --- a/usr.bin/split/split.c +++ b/usr.bin/split/split.c @@ -390,6 +390,10 @@ newfile(void) */ if (!dflag && autosfx && (fpnt[0] == 'y') && strspn(fpnt+1, "z") == strlen(fpnt+1)) { + /* Ensure the generated filenames will fit into the buffer. */ + if (strlen(fname) + 2 >= sizeof(fname)) + errx(EX_USAGE, "combined filenames would be too long"); + fpnt = fname + strlen(fname) - sufflen; fpnt[sufflen + 2] = '\0'; fpnt[0] = end;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202405030829.4438TUWK009949>