equal
deleted
inserted
replaced
|
1 --- lib/sh/eaccess.c 2012-10-09 12:45:17.924274300 -0700 |
|
2 +++ lib/sh/eaccess.c 2012-10-09 12:44:21.930979200 -0700 |
|
3 @@ -40,6 +40,10 @@ |
|
4 #if !defined (_POSIX_VERSION) && defined (HAVE_SYS_FILE_H) |
|
5 # include <sys/file.h> |
|
6 #endif /* !_POSIX_VERSION */ |
|
7 + |
|
8 +#include <string.h> /* memset(3C) */ |
|
9 +#include <limits.h> /* _XOPEN_PATH_MAX */ |
|
10 + |
|
11 #include "posixstat.h" |
|
12 #include "filecntl.h" |
|
13 |
|
14 @@ -82,7 +86,7 @@ |
|
15 const char *path; |
|
16 struct stat *finfo; |
|
17 { |
|
18 - static char *pbuf = 0; |
|
19 + static char pbuf[_XOPEN_PATH_MAX + 1]; |
|
20 |
|
21 if (*path == '\0') |
|
22 { |
|
23 @@ -108,9 +112,11 @@ |
|
24 trailing slash. Make sure /dev/fd/xx really uses DEV_FD_PREFIX/xx. |
|
25 On most systems, with the notable exception of linux, this is |
|
26 effectively a no-op. */ |
|
27 - pbuf = xrealloc (pbuf, sizeof (DEV_FD_PREFIX) + strlen (path + 8)); |
|
28 + /* The way CVE-2012-3410 was fixed is wrong */ |
|
29 + (void) memset (pbuf, '\0', sizeof(pbuf)); |
|
30 strcpy (pbuf, DEV_FD_PREFIX); |
|
31 - strcat (pbuf, path + 8); |
|
32 + strncat (pbuf, path + 8, |
|
33 + (size_t) (sizeof(pbuf) - sizeof(DEV_FD_PREFIX))); |
|
34 return (stat (pbuf, finfo)); |
|
35 #endif /* !HAVE_DEV_FD */ |
|
36 } |