In _gettemp(), check that the length of the path doesn't exceed

MAXPATHLEN. Otherwise the path name (or part of it) may not fit to carrybuf causing a buffer overflow. PR: bin/140228 Suggested by: jilles
2010-02-28 13:31:29 +00:00 · 2010-02-28 13:31:29 +00:00 · 6ca7812a19
commit 6ca7812a19
parent 8600d13245
1 changed files with 4 additions and 0 deletions
--- a/lib/libc/stdio/mktemp.c
+++ b/lib/libc/stdio/mktemp.c
@ -116,6 +116,10 @@ _gettemp(path, doopen, domkdir, slen)

 	for (trv = path; *trv != '\0'; ++trv)
 		;
+	if (trv - path >= MAXPATHLEN) {
+		errno = ENAMETOOLONG;
+		return (0);
+	}
 	trv -= slen;
 	suffp = trv;
 	--trv;