This is the mail archive of the cygwin-patches mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[PATCH] Buffer over-run fix for getusershell(3)


This is the first patch resulting from the Coverity Scan analysis of the Cygwin source code. The patch fixes Coverity ID 59932. Note that we don't have that many bugs in the Cygwin source code - that's just an ID that Coverity assigned to this issue. The patch is only a single line, so it falls into our definition of 'trivial'.

getusershell(3) returns the next line from the '/etc/shells' file [1]. This contains a path to an executable, so it makes sense for 'buf' to contain PATH_MAX characters.

Now, the definition of PATH_MAX is the maximum length of the path, including the null terminator [2]. So the for() loop should copy PATH_MAX-1 characters, in order to allow for the null terminator.

However, by copying PATH_MAX characters, there is a possible buffer over-run when the null terminator is applied. The patch (attached) corrects this.

Change Log:
2014-05-18  David Stacey  <drstacey@tiscali.co.uk>

        * winsup/cygwin/syscalls.cc(getusershell) :
        Fixed theoretical buffer overrun of 'buf' that would occur if
        /etc/shells contained a line longer than 4095 characters.

Cheers,

Dave.

[1] http://linux.die.net/man/3/getusershell
[2] http://pubs.opengroup.org/onlinepubs/009695399/basedefs/limits.h.html

Attachment: getusershell_buffer_overrun.patch
Description: Text document


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]