diff options
author | Moritz Jodeit <moritz@cvs.openbsd.org> | 2007-09-21 12:06:39 +0000 |
---|---|---|
committer | Moritz Jodeit <moritz@cvs.openbsd.org> | 2007-09-21 12:06:39 +0000 |
commit | f82edc578e749e116af84cbb7c22af5e993840e6 (patch) | |
tree | 4b66e9c8206ceeae2c5cb2997ca6582e4da4cf0a /lib/libc | |
parent | 381b8cc5dd7f9f2a4ebc375fc9b327933c7900c0 (diff) |
Add some more truncation checks for path construction in tmpnam(3).
ok ray@
Diffstat (limited to 'lib/libc')
-rw-r--r-- | lib/libc/stdio/tempnam.c | 32 |
1 files changed, 24 insertions, 8 deletions
diff --git a/lib/libc/stdio/tempnam.c b/lib/libc/stdio/tempnam.c index 46b9d5536f8..279ff5690e6 100644 --- a/lib/libc/stdio/tempnam.c +++ b/lib/libc/stdio/tempnam.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tempnam.c,v 1.15 2007/09/17 15:12:44 moritz Exp $ */ +/* $OpenBSD: tempnam.c,v 1.16 2007/09/21 12:06:38 moritz Exp $ */ /* * Copyright (c) 1988, 1993 * The Regents of the University of California. All rights reserved. @@ -44,7 +44,7 @@ extern char *_mktemp(char *); char * tempnam(const char *dir, const char *pfx) { - int sverrno; + int sverrno, len; char *f, *name; if (!(name = malloc(MAXPATHLEN))) @@ -54,27 +54,43 @@ tempnam(const char *dir, const char *pfx) pfx = "tmp."; if (issetugid() == 0 && (f = getenv("TMPDIR")) && *f != '\0') { - (void)snprintf(name, MAXPATHLEN, "%s%s%sXXXXXXXXXX", f, - *(f + strlen(f) - 1) == '/'? "": "/", pfx); + len = snprintf(name, MAXPATHLEN, "%s%s%sXXXXXXXXXX", f, + f[strlen(f) - 1] == '/' ? "" : "/", pfx); + if (len < 0 || len >= MAXPATHLEN) { + errno = ENAMETOOLONG; + return(NULL); + } if ((f = _mktemp(name))) return(f); } if (dir != NULL) { f = *dir ? (char *)dir : "."; - (void)snprintf(name, MAXPATHLEN, "%s%s%sXXXXXXXXXX", f, - *(f + strlen(f) - 1) == '/'? "": "/", pfx); + len = snprintf(name, MAXPATHLEN, "%s%s%sXXXXXXXXXX", f, + f[strlen(f) - 1] == '/' ? "" : "/", pfx); + if (len < 0 || len >= MAXPATHLEN) { + errno = ENAMETOOLONG; + return(NULL); + } if ((f = _mktemp(name))) return(f); } f = P_tmpdir; - (void)snprintf(name, MAXPATHLEN, "%s%sXXXXXXXXX", f, pfx); + len = snprintf(name, MAXPATHLEN, "%s%sXXXXXXXXX", f, pfx); + if (len < 0 || len >= MAXPATHLEN) { + errno = ENAMETOOLONG; + return(NULL); + } if ((f = _mktemp(name))) return(f); f = _PATH_TMP; - (void)snprintf(name, MAXPATHLEN, "%s%sXXXXXXXXX", f, pfx); + len = snprintf(name, MAXPATHLEN, "%s%sXXXXXXXXX", f, pfx); + if (len < 0 || len >= MAXPATHLEN) { + errno = ENAMETOOLONG; + return(NULL); + } if ((f = _mktemp(name))) return(f); |