realpath(3) bug fix: There was an off-by-one error in computing the

size of the resulting canonical path.

3 files changed, 6 insertions, 2 deletions

diff --git a/UPDATING b/UPDATING
index 9c6a60744e69..c750e7d8adad 100644
--- a/UPDATING
+++ b/UPDATING
@@ -17,6 +17,9 @@ minimal number of processes, if possible, for that patch.  For those
 updates that don't have an advisory, or to be safe, you can do a full
 build and install as described in the COMMON ITEMS section.
 
+20030804:	p11	FreeBSD-SA-03:08.realpath
+	Correct a single byte buffer overflow in realpath(3).
+
 20030329:	p10	FreeBSD-SA-03:07.sendmail
 	sendmail address parsing buffer overflow.
 
diff --git a/lib/libc/stdlib/realpath.c b/lib/libc/stdlib/realpath.c
index 0217dde5f6a6..520624a9fef2 100644
--- a/lib/libc/stdlib/realpath.c
+++ b/lib/libc/stdlib/realpath.c
@@ -138,7 +138,8 @@ loop:
 		rootd = 0;
 
 	if (*wbuf) {
-		if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) {
+		if (strlen(resolved) + strlen(wbuf) + (1-rootd) + 1 >
+		    MAXPATHLEN) {
 			errno = ENAMETOOLONG;
 			goto err1;
 		}
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index ddb3271d08a6..15a254cf4c69 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
 
 TYPE="FreeBSD"
 REVISION="4.7"
-BRANCH="RELEASE-p10"
+BRANCH="RELEASE-p11"
 RELEASE="${REVISION}-${BRANCH}"
 VERSION="${TYPE} ${RELEASE}"