From owner-freebsd-bugs@FreeBSD.ORG Thu Sep 15 10:22:03 2005 Return-Path: X-Original-To: freebsd-bugs@FreeBSD.org Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 76F2C16A41F; Thu, 15 Sep 2005 10:22:03 +0000 (GMT) (envelope-from bde@zeta.org.au) Received: from mailout1.pacific.net.au (mailout1.pacific.net.au [61.8.0.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE9AA43D49; Thu, 15 Sep 2005 10:22:02 +0000 (GMT) (envelope-from bde@zeta.org.au) Received: from mailproxy1.pacific.net.au (mailproxy1.pacific.net.au [61.8.0.86]) by mailout1.pacific.net.au (8.13.4/8.13.4/Debian-3) with ESMTP id j8FAM1UW024336; Thu, 15 Sep 2005 20:22:01 +1000 Received: from epsplex.bde.org (katana.zip.com.au [61.8.7.246]) by mailproxy1.pacific.net.au (8.13.4/8.13.4/Debian-3) with ESMTP id j8FALwn1000796; Thu, 15 Sep 2005 20:21:59 +1000 Date: Thu, 15 Sep 2005 20:21:58 +1000 (EST) From: Bruce Evans X-X-Sender: bde@epsplex.bde.org To: Andrey Chernov In-Reply-To: <20050915043553.GA26630@nagual.pp.ru> Message-ID: <20050915195845.N2469@epsplex.bde.org> References: <1126728802.42486.3239.camel@lab> <20050915120351.Q43928@delplex.bde.org> <20050915043553.GA26630@nagual.pp.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-bugs@FreeBSD.org, Trevor Blackwell , FreeBSD-gnats-submit@FreeBSD.org Subject: Re: bin/86135: Fwd: Latent buffer overflow in getcwd X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2005 10:22:03 -0000 On Thu, 15 Sep 2005, Andrey Chernov wrote: > On Thu, Sep 15, 2005 at 01:27:03PM +1000, Bruce Evans wrote: >> MAXPATHLEN is not very relevant here -- the size needed is just the size of >> our buffer, and MAXPATHLEN bytes is neither usually necessary nor always > > While it can be so for "up", it is not so for "ep", since it is > filled by __getcwd() syscall and can't be bigger. > > Could you consider MAXPATHLEN for "ep" and 1024 for "up" variant? The buffer with "ep" is actually "pt" ("ept" is the end of this). Yes, it makes no sense to allocate less than {PATH_MAX} bytes for the buffer with which we make a syscall that might return {PATH_MAX} bytes. >> - MAXPATHLEN is a misspelling of {PATH_MAX}. > > It is BSDsm. getwd(1) refers to MAXPATHLEN too. imp@ is fixing this BSDism these (except he uses PATH_MAX instead of {PATH_MAX} so the change is only a style fix) and might not like having new ones to fix. BTW, the ERRORS section in getcwd(3) doesn't say that errno is set to ENAMETOOLONG if the MAXPATHLEN limit is exceeded. >> - The magic 340 in the above was (1024 - 4) / strlen("../"). Now its >> magic is deeper. 340 was wrong even when the initial upsize was known >> to be (1024 - 4) since it didn't allow for the NUL terminator or mount >> points. The exact is something like >> 1 + (initial_upsize - {NAME_MAX} - 1) / strlen("../"). > > Why ever this magic needed? It is only in comment, not in code. It is perhaps useful as documentation, but not if it is wrong. I try not to put derived magic numbers or their derivation in comments. Bruce