diff options
author | Shawn Bayern <sbayern@law.fsu.edu> | 2024-05-03 07:46:18 +0000 |
---|---|---|
committer | Xin LI <delphij@FreeBSD.org> | 2024-05-03 08:29:20 +0000 |
commit | 95032b58a1ad0fde57518f17805ca721bb4563ad (patch) | |
tree | 1839c26e03c975bba49f7c081802f65c7bc39993 /usr.bin | |
parent | bf8988187f0d0ed87934b6e2537ceb1a8f61fbd4 (diff) | |
download | src-95032b58a1ad0fde57518f17805ca721bb4563ad.tar.gz src-95032b58a1ad0fde57518f17805ca721bb4563ad.zip |
Tighten boundary check in split(1) to prevent a potential buffer overflow.
Before increasing sufflen, make sure the current name plus two (including
the terminating NUL character and the to-be-added character) does not
exceed the fixed buffer length, and stop immediately if this would occur.
In worst case scenario the code would write an nul character beyond the
boundary, however it would be caught by open(2) and based on the memory
layout, we do not believe this would constitute a security vulnerability.
MFC after: 3 days
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/split/split.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/usr.bin/split/split.c b/usr.bin/split/split.c index 0241637c93ad..2724f8a20cde 100644 --- a/usr.bin/split/split.c +++ b/usr.bin/split/split.c @@ -390,6 +390,10 @@ newfile(void) */ if (!dflag && autosfx && (fpnt[0] == 'y') && strspn(fpnt+1, "z") == strlen(fpnt+1)) { + /* Ensure the generated filenames will fit into the buffer. */ + if (strlen(fname) + 2 >= sizeof(fname)) + errx(EX_USAGE, "combined filenames would be too long"); + fpnt = fname + strlen(fname) - sufflen; fpnt[sufflen + 2] = '\0'; fpnt[0] = end; |