From dfdee678fd03cac5ff7c47a270bdf5bd2c745f59 Mon Sep 17 00:00:00 2001 From: jh Date: Sun, 28 Feb 2010 13:31:29 +0000 Subject: [PATCH] In _gettemp(), check that the length of the path doesn't exceed MAXPATHLEN. Otherwise the path name (or part of it) may not fit to carrybuf causing a buffer overflow. PR: bin/140228 Suggested by: jilles --- lib/libc/stdio/mktemp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/libc/stdio/mktemp.c b/lib/libc/stdio/mktemp.c index 3f1e699f213e..a30b930354e3 100644 --- a/lib/libc/stdio/mktemp.c +++ b/lib/libc/stdio/mktemp.c @@ -116,6 +116,10 @@ _gettemp(path, doopen, domkdir, slen) for (trv = path; *trv != '\0'; ++trv) ; + if (trv - path >= MAXPATHLEN) { + errno = ENAMETOOLONG; + return (0); + } trv -= slen; suffp = trv; --trv;