sh: Fix bss-based buffer overflow in . builtin.
If the length of a directory in PATH together with the given filename exceeded FILENAME_MAX (which may happen even for pathnames that work), a static buffer was overflown. The static buffer is unnecessary, we can use the stalloc() stack. Obtained from: NetBSD MFC after: 1 week
This commit is contained in:
Jilles Tjoelker
parent
1cb2359e6f
commit
c9e93e6739
@ -281,7 +281,6 @@ readcmdfile(const char *name)
|
||||
static char *
|
||||
find_dot_file(char *basename)
|
||||
{
|
||||
static char localname[FILENAME_MAX+1];
|
||||
char *fullname;
|
||||
const char *path = pathval();
|
||||
struct stat statb;
|
||||
@ -291,10 +290,14 @@ find_dot_file(char *basename)
|
||||
return basename;
|
||||
|
||||
while ((fullname = padvance(&path, basename)) != NULL) {
|
||||
strcpy(localname, fullname);
|
||||
if ((stat(fullname, &statb) == 0) && S_ISREG(statb.st_mode)) {
|
||||
/*
|
||||
* Don't bother freeing here, since it will
|
||||
* be freed by the caller.
|
||||
*/
|
||||
return fullname;
|
||||
}
|
||||
stunalloc(fullname);
|
||||
if ((stat(fullname, &statb) == 0) && S_ISREG(statb.st_mode))
|
||||
return localname;
|
||||
}
|
||||
return basename;
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user