Hosting Provided By

user/3000: overflow in csh if pathname > PATH_MAX

From: <peterw(at)ifost.org.au>
Date: Thu Nov 28 2002 - 13:33:41 EST

>Number: 3000
>Category: user
>Synopsis: overflow in csh if pathname > PATH_MAX
>Confidential: no
IFOST - http://www.ifost.org.au
>Environment:

	System      : OpenBSD 3.1
	Architecture: OpenBSD.i386
	Machine     : i386

>Description:

you can make paths greater than PATH_MAX.

csh doesnt seem to handle a path being greater than PATH_MAX very well

	the overflow happens when you try change into a dircetory which
	has a name greater than PATH_MAX.

>How-To-Repeat:

% /bin/csh

$ cd /tmp
$ perl -e 'print "A"x255' > max
$ mkdir `cat /tmp/max`
$ cd `cat /tmp/max`
$ !mk

mkdir `cat /tmp/max`
$ !c
cd `cat /tmp/max`
$ !mk
mkdir `cat /tmp/max`
$ !c
cd `cat /tmp/max`
$ !m
mkdir `cat /tmp/max`
$ !c
cd `cat /tmp/max`
Segmentation fault (core dumped)
%

#0  dcanon (cp=0x55000, p=0x55808) at dir.c:896
#1  0x4624 in dgoto (cp=0x51600) at dir.c:418
#2  0x4681 in dfollow (cp=0x4f600) at dir.c:441
#3  0x44d5 in dochngd (v=0x4adc4, t=0x48ba0) at dir.c:374
#4  0xa896 in func (t=0x48ba0, bp=0x3de70) at func.c:128
#5  0x161c0 in execute (t=0x48ba0, wanttty=23139, pipein=0x0, pipeout=0x0) at sem.c:382
#6  0x162ff in execute (t=0x48b80, wanttty=23139, pipein=0x0, pipeout=0x0) at sem.c:419
#7  0x34cd in process (catch=1) at csh.c:1120
#8  0x28bd in main (argc=0, argv=0xcfbfdad8) at csh.c:576

in bin/csh/dir.c

Char *
dcanon(cp, p)

Do you need help?

Char link[MAXPATHLEN];
...

        /*
         * Start comparing dev & ino backwards
         */
        p2 = Strcpy(link, cp);

>Fix:

this mimics the existing behaviour of csh if it encounters a path too big, as far as i can tell ...

Index: bin/csh/dir.c

RCS file: /cvs/src/bin/csh/dir.c,v
retrieving revision 1.8
diff -u -r1.8 dir.c

--- bin/csh/dir.c	2002/08/12 00:42:56	1.8
+++ bin/csh/dir.c	2002/11/28 18:22:42
@@ -645,6 +645,9 @@
     int     cc;
     Char   *newcp;
 
+    if (Strlen(cp) >= MAXPATHLEN)
+	abort();
+
     /*
      * christos: if the path given does not start with a slash prepend cwd. If
      * cwd does not start with a path or the result would be too long abort().

>Release-Note:
Received on Fri Nov 29 10:20:40 2002

This message: [ Message body ]
Next message: Theo de Raadt: "Re: documentation/3001"
Previous message: peterw(at)ifost.org.au: "documentation/3001: invalid item in vmstat manpage"
In reply to jmc(at)prioris.mini.pw.edu.pl: "user/2883: fc command in pdksh not working"
Reply: Mike Neuman: "kernel/3029: netintro(4) does not match functionality of netinet/in.c"
Reply: jan.niemann(at)tu-bs.de: "user/3062: nfsstat"
Reply: todd(at)openbsd.org: "user/3173: gdb ignores SIGINFO"
Reply: andre(at)inet2.it: "user/3199: isakmpd does not unlink FIFO nor pid file"
Reply: David Leonard: "kernel/3356: inet needs ether"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:29:38 EDT