diff options
| author | Alexandre Ratchov <ratchov@cvs.openbsd.org> | 2015-10-05 07:18:04 +0000 |
|---|---|---|
| committer | Alexandre Ratchov <ratchov@cvs.openbsd.org> | 2015-10-05 07:18:04 +0000 |
| commit | f3ebb467edd22aedbbf445cd6b4b43ab31e8174a (patch) | |
| tree | ba7c372e204389d1b198302a630799c880dae15f | |
| parent | 5571d4ab5b936eb33670737b2dbf134124156bfc (diff) | |
Fix missing checks for truncation of long file names. Rather than
checking for truncation every time we touch the string, simply allocate
a memory chunk large enough to store the full path.
| -rw-r--r-- | lib/libsndio/aucat.c | 42 |
1 files changed, 28 insertions, 14 deletions
diff --git a/lib/libsndio/aucat.c b/lib/libsndio/aucat.c index 644938f25d0..14b72e8afa8 100644 --- a/lib/libsndio/aucat.c +++ b/lib/libsndio/aucat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: aucat.c,v 1.67 2015/10/02 09:51:54 ratchov Exp $ */ +/* $OpenBSD: aucat.c,v 1.68 2015/10/05 07:18:03 ratchov Exp $ */ /* * Copyright (c) 2008 Alexandre Ratchov <alex@caoua.org> * @@ -208,9 +208,12 @@ aucat_mkcookie(unsigned char *cookie) #define COOKIE_SUFFIX "/.aucat_cookie" #define TEMPL_SUFFIX ".XXXXXXXX" struct stat sb; - char *home, path[PATH_MAX], tmp[PATH_MAX]; - ssize_t len; - int fd; + char *home, *path = NULL, *tmp = NULL; + size_t home_len, path_len; + int fd, len; + + /* please gcc */ + path_len = 0xdeadbeef; /* * try to load the cookie @@ -218,7 +221,13 @@ aucat_mkcookie(unsigned char *cookie) home = issetugid() ? NULL : getenv("HOME"); if (home == NULL) goto bad_gen; - snprintf(path, PATH_MAX, "%s" COOKIE_SUFFIX, home); + home_len = strlen(home); + path = malloc(home_len + sizeof(COOKIE_SUFFIX)); + if (path == NULL) + goto bad_gen; + memcpy(path, home, home_len); + memcpy(path + home_len, COOKIE_SUFFIX, sizeof(COOKIE_SUFFIX)); + path_len = home_len + sizeof(COOKIE_SUFFIX) - 1; fd = open(path, O_RDONLY); if (fd < 0) { if (errno != ENOENT) @@ -243,7 +252,7 @@ aucat_mkcookie(unsigned char *cookie) goto bad_close; } close(fd); - return 1; + goto done; bad_close: close(fd); bad_gen: @@ -256,28 +265,33 @@ bad_gen: * try to save the cookie */ if (home == NULL) - return 1; - if (strlcpy(tmp, path, PATH_MAX) >= PATH_MAX || - strlcat(tmp, TEMPL_SUFFIX, PATH_MAX) >= PATH_MAX) { - DPRINTF("%s: too long\n", path); - return 1; - } + goto done; + tmp = malloc(path_len + sizeof(TEMPL_SUFFIX)); + if (tmp == NULL) + goto done; + memcpy(tmp, path, path_len); + memcpy(tmp + path_len, TEMPL_SUFFIX, sizeof(TEMPL_SUFFIX)); fd = mkstemp(tmp); if (fd < 0) { DPERROR(tmp); - return 1; + goto done; } if (write(fd, cookie, AMSG_COOKIELEN) < 0) { DPERROR(tmp); unlink(tmp); close(fd); - return 1; + goto done; } close(fd); if (rename(tmp, path) < 0) { DPERROR(tmp); unlink(tmp); } +done: + if (tmp) + free(tmp); + if (path) + free(path); return 1; } |