[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
12/27: libutil: Improve errmsg on readLink size mismatch.
From: |
Ludovic Courtès |
Subject: |
12/27: libutil: Improve errmsg on readLink size mismatch. |
Date: |
Wed, 03 Jun 2015 22:00:38 +0000 |
civodul pushed a commit to branch nix
in repository guix.
commit 0fed5fde65e4a0cd600dc181e5b3c42d1147df51
Author: aszlig <address@hidden>
Date: Fri Jan 2 03:27:39 2015 +0100
libutil: Improve errmsg on readLink size mismatch.
A message like "error: reading symbolic link `...' : Success" really is
quite confusing, so let's not indicate "success" but rather point out
the real issue.
We could also limit the check of this to just check for non-negative
values, but this would introduce a race condition between stat() and
readlink() if the link target changes between those two calls, thus
leading to a buffer overflow vulnerability.
Reported by @Ericson2314 on IRC. Happened due to a possible ntfs-3g bug
where a relative symlink returned the absolute path (st_)size in stat()
while readlink() returned the relative size.
Signed-off-by: aszlig <address@hidden>
Tested-by: John Ericson <address@hidden>
---
nix/libutil/util.cc | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc
index 7998664..410d0f2 100644
--- a/nix/libutil/util.cc
+++ b/nix/libutil/util.cc
@@ -193,8 +193,12 @@ Path readLink(const Path & path)
if (!S_ISLNK(st.st_mode))
throw Error(format("`%1%' is not a symlink") % path);
char buf[st.st_size];
- if (readlink(path.c_str(), buf, st.st_size) != st.st_size)
- throw SysError(format("reading symbolic link `%1%'") % path);
+ ssize_t rlsize = readlink(path.c_str(), buf, st.st_size);
+ if (rlsize == -1)
+ throw SysError(format("reading symbolic link '%1%'") % path);
+ else if (rlsize != st.st_size)
+ throw Error(format("symbolic link '%1%' size mismatch %2% != %3%")
+ % path % rlsize % st.st_size);
return string(buf, st.st_size);
}
- 01/27: Rename 'initChild' to 'runChild'., (continued)
- 01/27: Rename 'initChild' to 'runChild'., Ludovic Courtès, 2015/06/03
- 02/27: Use PR_SET_PDEATHSIG to ensure child cleanup, Ludovic Courtès, 2015/06/03
- 04/27: Get rid of unnecessary "interrupted by the user" message with -vvv, Ludovic Courtès, 2015/06/03
- 03/27: Remove tabs, Ludovic Courtès, 2015/06/03
- 07/27: Shut up a Valgrind warning, Ludovic Courtès, 2015/06/03
- 06/27: Fix some memory leaks, Ludovic Courtès, 2015/06/03
- 08/27: Silence some warnings on GCC 4.9, Ludovic Courtès, 2015/06/03
- 09/27: Better error message, Ludovic Courtès, 2015/06/03
- 10/27: Explicitly include required C headers, Ludovic Courtès, 2015/06/03
- 05/27: Ensure we're writing to stderr in the builder, Ludovic Courtès, 2015/06/03
- 12/27: libutil: Improve errmsg on readLink size mismatch.,
Ludovic Courtès <=
- 13/27: libutil: Limit readLink() error to only overflows., Ludovic Courtès, 2015/06/03
- 11/27: Pedantry, Ludovic Courtès, 2015/06/03
- 14/27: Set /nix/store permission to 1737, Ludovic Courtès, 2015/06/03
- 16/27: Doh^2, Ludovic Courtès, 2015/06/03
- 17/27: Simplify printHash32, Ludovic Courtès, 2015/06/03
- 18/27: Simplify parseHash32, Ludovic Courtès, 2015/06/03
- 19/27: Use pivot_root in addition to chroot when possible, Ludovic Courtès, 2015/06/03
- 15/27: Doh, Ludovic Courtès, 2015/06/03
- 22/27: Tighten permissions on chroot directories, Ludovic Courtès, 2015/06/03
- 20/27: Use chroots for all derivations, Ludovic Courtès, 2015/06/03