From owner-freebsd-bugs@FreeBSD.ORG Thu Sep 15 10:30:16 2005 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E7DFA16A41F for ; Thu, 15 Sep 2005 10:30:16 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B134743D48 for ; Thu, 15 Sep 2005 10:30:16 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j8FAUGlt088022 for ; Thu, 15 Sep 2005 10:30:16 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j8FAUGeD088021; Thu, 15 Sep 2005 10:30:16 GMT (envelope-from gnats) Date: Thu, 15 Sep 2005 10:30:16 GMT Message-Id: <200509151030.j8FAUGeD088021@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Bruce Evans Cc: Subject: Re: bin/86135: Fwd: Latent buffer overflow in getcwd X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Bruce Evans List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2005 10:30:17 -0000 The following reply was made to PR kern/86135; it has been noted by GNATS. From: Bruce Evans To: Andrey Chernov Cc: Trevor Blackwell , freebsd-bugs@FreeBSD.org, FreeBSD-gnats-submit@FreeBSD.org Subject: Re: bin/86135: Fwd: Latent buffer overflow in getcwd Date: Thu, 15 Sep 2005 20:21:58 +1000 (EST) On Thu, 15 Sep 2005, Andrey Chernov wrote: > On Thu, Sep 15, 2005 at 01:27:03PM +1000, Bruce Evans wrote: >> MAXPATHLEN is not very relevant here -- the size needed is just the size of >> our buffer, and MAXPATHLEN bytes is neither usually necessary nor always > > While it can be so for "up", it is not so for "ep", since it is > filled by __getcwd() syscall and can't be bigger. > > Could you consider MAXPATHLEN for "ep" and 1024 for "up" variant? The buffer with "ep" is actually "pt" ("ept" is the end of this). Yes, it makes no sense to allocate less than {PATH_MAX} bytes for the buffer with which we make a syscall that might return {PATH_MAX} bytes. >> - MAXPATHLEN is a misspelling of {PATH_MAX}. > > It is BSDsm. getwd(1) refers to MAXPATHLEN too. imp@ is fixing this BSDism these (except he uses PATH_MAX instead of {PATH_MAX} so the change is only a style fix) and might not like having new ones to fix. BTW, the ERRORS section in getcwd(3) doesn't say that errno is set to ENAMETOOLONG if the MAXPATHLEN limit is exceeded. >> - The magic 340 in the above was (1024 - 4) / strlen("../"). Now its >> magic is deeper. 340 was wrong even when the initial upsize was known >> to be (1024 - 4) since it didn't allow for the NUL terminator or mount >> points. The exact is something like >> 1 + (initial_upsize - {NAME_MAX} - 1) / strlen("../"). > > Why ever this magic needed? It is only in comment, not in code. It is perhaps useful as documentation, but not if it is wrong. I try not to put derived magic numbers or their derivation in comments. Bruce