From 4957358ed5c0d7575633ac1119282bc1c0001636 Mon Sep 17 00:00:00 2001 From: christos Date: Sun, 17 Apr 2011 23:12:38 +0000 Subject: [PATCH] Correct check for snprintf() overflow via Maksymilian Arciemowicz from FreeBSD. (the bt one was ok, but set errno and make it the same for consistency). [to be pulled up] --- lib/libc/db/btree/bt_open.c | 10 ++++++---- lib/libc/db/hash/hash_page.c | 12 ++++++++---- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/lib/libc/db/btree/bt_open.c b/lib/libc/db/btree/bt_open.c index c5256d171084..633f1c272267 100644 --- a/lib/libc/db/btree/bt_open.c +++ b/lib/libc/db/btree/bt_open.c @@ -1,4 +1,4 @@ -/* $NetBSD: bt_open.c,v 1.24 2008/09/11 12:58:00 joerg Exp $ */ +/* $NetBSD: bt_open.c,v 1.25 2011/04/17 23:12:38 christos Exp $ */ /*- * Copyright (c) 1990, 1993, 1994 @@ -37,7 +37,7 @@ #endif #include -__RCSID("$NetBSD: bt_open.c,v 1.24 2008/09/11 12:58:00 joerg Exp $"); +__RCSID("$NetBSD: bt_open.c,v 1.25 2011/04/17 23:12:38 christos Exp $"); /* * Implementation of btree access method for 4.4BSD. @@ -391,7 +391,7 @@ static int tmp(void) { sigset_t set, oset; - size_t len; + int len; int fd; char *envtmp; char path[PATH_MAX]; @@ -403,8 +403,10 @@ tmp(void) len = snprintf(path, sizeof(path), "%s/bt.XXXXXX", envtmp ? envtmp : _PATH_TMP); - if (len >= sizeof(path)) + if (len < 0 || (size_t)len >= sizeof(path)) { + errno = ENAMETOOLONG; return -1; + } (void)sigfillset(&set); (void)sigprocmask(SIG_BLOCK, &set, &oset); diff --git a/lib/libc/db/hash/hash_page.c b/lib/libc/db/hash/hash_page.c index e79dfd9bf6af..625ea2d00f7f 100644 --- a/lib/libc/db/hash/hash_page.c +++ b/lib/libc/db/hash/hash_page.c @@ -1,4 +1,4 @@ -/* $NetBSD: hash_page.c,v 1.23 2008/09/11 12:58:00 joerg Exp $ */ +/* $NetBSD: hash_page.c,v 1.24 2011/04/17 23:12:38 christos Exp $ */ /*- * Copyright (c) 1990, 1993, 1994 @@ -37,7 +37,7 @@ #endif #include -__RCSID("$NetBSD: hash_page.c,v 1.23 2008/09/11 12:58:00 joerg Exp $"); +__RCSID("$NetBSD: hash_page.c,v 1.24 2011/04/17 23:12:38 christos Exp $"); /* * PACKAGE: hashing @@ -869,15 +869,19 @@ open_temp(HTAB *hashp) sigset_t set, oset; char *envtmp; char namestr[PATH_MAX]; + int len; if (issetugid()) envtmp = NULL; else envtmp = getenv("TMPDIR"); - if (-1 == snprintf(namestr, sizeof(namestr), "%s/_hashXXXXXX", - envtmp ? envtmp : _PATH_TMP)) + len = snprintf(namestr, sizeof(namestr), "%s/_hashXXXXXX", + envtmp ? envtmp : _PATH_TMP); + if (len < 0 || (size_t)len >= sizeof(namestr)) { + errno = ENAMETOOLONG; return -1; + } /* Block signals; make sure file goes away at process exit. */ (void)sigfillset(&set);