From f82edc578e749e116af84cbb7c22af5e993840e6 Mon Sep 17 00:00:00 2001 From: Moritz Jodeit Date: Fri, 21 Sep 2007 12:06:39 +0000 Subject: Add some more truncation checks for path construction in tmpnam(3). ok ray@ --- lib/libc/stdio/tempnam.c | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) (limited to 'lib/libc') diff --git a/lib/libc/stdio/tempnam.c b/lib/libc/stdio/tempnam.c index 46b9d5536f8..279ff5690e6 100644 --- a/lib/libc/stdio/tempnam.c +++ b/lib/libc/stdio/tempnam.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tempnam.c,v 1.15 2007/09/17 15:12:44 moritz Exp $ */ +/* $OpenBSD: tempnam.c,v 1.16 2007/09/21 12:06:38 moritz Exp $ */ /* * Copyright (c) 1988, 1993 * The Regents of the University of California. All rights reserved. @@ -44,7 +44,7 @@ extern char *_mktemp(char *); char * tempnam(const char *dir, const char *pfx) { - int sverrno; + int sverrno, len; char *f, *name; if (!(name = malloc(MAXPATHLEN))) @@ -54,27 +54,43 @@ tempnam(const char *dir, const char *pfx) pfx = "tmp."; if (issetugid() == 0 && (f = getenv("TMPDIR")) && *f != '\0') { - (void)snprintf(name, MAXPATHLEN, "%s%s%sXXXXXXXXXX", f, - *(f + strlen(f) - 1) == '/'? "": "/", pfx); + len = snprintf(name, MAXPATHLEN, "%s%s%sXXXXXXXXXX", f, + f[strlen(f) - 1] == '/' ? "" : "/", pfx); + if (len < 0 || len >= MAXPATHLEN) { + errno = ENAMETOOLONG; + return(NULL); + } if ((f = _mktemp(name))) return(f); } if (dir != NULL) { f = *dir ? (char *)dir : "."; - (void)snprintf(name, MAXPATHLEN, "%s%s%sXXXXXXXXXX", f, - *(f + strlen(f) - 1) == '/'? "": "/", pfx); + len = snprintf(name, MAXPATHLEN, "%s%s%sXXXXXXXXXX", f, + f[strlen(f) - 1] == '/' ? "" : "/", pfx); + if (len < 0 || len >= MAXPATHLEN) { + errno = ENAMETOOLONG; + return(NULL); + } if ((f = _mktemp(name))) return(f); } f = P_tmpdir; - (void)snprintf(name, MAXPATHLEN, "%s%sXXXXXXXXX", f, pfx); + len = snprintf(name, MAXPATHLEN, "%s%sXXXXXXXXX", f, pfx); + if (len < 0 || len >= MAXPATHLEN) { + errno = ENAMETOOLONG; + return(NULL); + } if ((f = _mktemp(name))) return(f); f = _PATH_TMP; - (void)snprintf(name, MAXPATHLEN, "%s%sXXXXXXXXX", f, pfx); + len = snprintf(name, MAXPATHLEN, "%s%sXXXXXXXXX", f, pfx); + if (len < 0 || len >= MAXPATHLEN) { + errno = ENAMETOOLONG; + return(NULL); + } if ((f = _mktemp(name))) return(f); -- cgit v1.2.3