[Bug-tar] [PATCH] Possible off-by-one in readlink result

bug-tar

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-tar] [PATCH] Possible off-by-one in readlink result

From:	Tobias Stoeckmann
Subject:	[Bug-tar] [PATCH] Possible off-by-one in readlink result
Date:	Sun, 12 Jul 2015 11:37:27 +0200

The target length of a symbolic link is saved in stat.st_size. The
code already adds one byte for a terminating nul that has to be added
manually. But afterwards, readlink get "stat.st_size + 1" as argument.
If the symbolic link in question gets replaced with a longer one between
lstat and readlink, the terminating '\0' will overflow the buffer by
one.
---
 src/create.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/create.c b/src/create.c
index 1b08e0b..baf19e2 100644
--- a/src/create.c
+++ b/src/create.c
@@ -1843,7 +1843,7 @@ dump_file0 (struct tar_stat_info *st, char const *name, 
char const *p)
       if (linklen != st->stat.st_size || linklen + 1 == 0)
        xalloc_die ();
       buffer = (char *) alloca (linklen + 1);
-      size = readlinkat (parentfd, name, buffer, linklen + 1);
+      size = readlinkat (parentfd, name, buffer, linklen);
       if (size < 0)
        {
          file_removed_diag (p, top_level, readlink_diag);
-- 
2.4.5

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-tar] [PATCH] Possible off-by-one in readlink result, Tobias Stoeckmann <=
- Re: [Bug-tar] [PATCH] Possible off-by-one in readlink result, Paul Eggert, 2015/07/13

Prev by Date: [Bug-tar] unpacking archives where file.name may be a different type
Next by Date: [Bug-tar] Bug introduced in tar master for -T option
Previous by thread: [Bug-tar] unpacking archives where file.name may be a different type
Next by thread: Re: [Bug-tar] [PATCH] Possible off-by-one in readlink result
Index(es):
- Date
- Thread