sh: Fix bss-based buffer overflow in . builtin.
If the length of a directory in PATH together with the given filename exceeded FILENAME_MAX (which may happen even for pathnames that work), a static buffer was overflown. The static buffer is unnecessary, we can use the stalloc() stack. Obtained from: NetBSD MFC after: 1 week
This commit is contained in:
Jilles Tjoelker
parent
1cb2359e6f
commit
c9e93e6739
@ -281,7 +281,6 @@ readcmdfile(const char *name)
|
|||||||
static char *
|
static char *
|
||||||
find_dot_file(char *basename)
|
find_dot_file(char *basename)
|
||||||
{
|
{
|
||||||
static char localname[FILENAME_MAX+1];
|
|
||||||
char *fullname;
|
char *fullname;
|
||||||
const char *path = pathval();
|
const char *path = pathval();
|
||||||
struct stat statb;
|
struct stat statb;
|
||||||
@ -291,10 +290,14 @@ find_dot_file(char *basename)
|
|||||||
return basename;
|
return basename;
|
||||||
|
|
||||||
while ((fullname = padvance(&path, basename)) != NULL) {
|
while ((fullname = padvance(&path, basename)) != NULL) {
|
||||||
strcpy(localname, fullname);
|
if ((stat(fullname, &statb) == 0) && S_ISREG(statb.st_mode)) {
|
||||||
|
/*
|
||||||
|
* Don't bother freeing here, since it will
|
||||||
|
* be freed by the caller.
|
||||||
|
*/
|
||||||
|
return fullname;
|
||||||
|
}
|
||||||
stunalloc(fullname);
|
stunalloc(fullname);
|
||||||
if ((stat(fullname, &statb) == 0) && S_ISREG(statb.st_mode))
|
|
||||||
return localname;
|
|
||||||
}
|
}
|
||||||
return basename;
|
return basename;
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user