system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-11-05 18:22:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

Tighten boundary check in split(1) to prevent a potential buffer overflow.

Browse source 
Before increasing sufflen, make sure the current name plus two (including
the terminating NUL character and the to-be-added character) does not
exceed the fixed buffer length, and stop immediately if this would occur.

In worst case scenario the code would write an nul character beyond the
boundary, however it would be caught by open(2) and based on the memory
layout, we do not believe this would constitute a security vulnerability.

MFC after:	3 days
This commit is contained in:
Shawn Bayern 2024-05-03 00:46:18 -07:00 committed by Xin LI
parent bf8988187f
commit 95032b58a1
1 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
usr.bin/split/split.c
View file

@ -390,6 +390,10 @@ newfile(void)
*/
if (!dflag && autosfx && (fpnt[0] == 'y') &&
strspn(fpnt+1, "z") == strlen(fpnt+1)) {
/* Ensure the generated filenames will fit into the buffer. */
if (strlen(fname) + 2 >= sizeof(fname))
errx(EX_USAGE, "combined filenames would be too long");
fpnt = fname + strlen(fname) - sufflen;
fpnt[sufflen + 2] = '\0';
fpnt[0] = end;