posix: execvpe: fix UMR with file > NAME_MAX [BZ #33627]

* posix/execvpe.c (__execvpe_common): Since strnlen doesn't inspect
beyond NAME_MAX and NAME_MAX does not cover the NUL, we need
to explicitly check for the NUL.  I.e. the existing check for,
file_len-1 > NAME_MAX, was never true.  This check is required
so that we're guaranteed that file_len includes the NUL, as we
depend on that in the following memcpy to properly terminate
the file buffer passed to execve().  Otherwise that call will trigger
UMR when inspecting the passed file, which can be seen with valgrind.
Note returning ENAMETOOLONG early here for FILE names > NAME_MAX
will also avoid redundant processing of ENAMETOOLONG on each entry
in $PATH, after the change in [BZ #33626] is applied.

Reviewed-by: Collin Funk <collin.funk1@gmail.com>

diff --git a/posix/execvpe.c b/posix/execvpe.c
index c139dfe8fde6b12dcf2dc4e20e4233157e53384e..de5fc14eda58db1ec0a086bfff940de33eed6a6e 100644 (file)
--- a/posix/execvpe.c
+++ b/posix/execvpe.c
@@ -98,8 +98,9 @@ __execvpe_common (const char *file, char *const argv[], char *const envp[],
   size_t file_len = __strnlen (file, NAME_MAX) + 1;
   size_t path_len = __strnlen (path, PATH_MAX - 1) + 1;
 
-  /* NAME_MAX does not include the terminating null character.  */
-  if ((file_len - 1 > NAME_MAX)
+  /* NAME_MAX does not include the terminating NUL character.
+     The following check ensures FILE is NUL terminated.  */
+  if ((file_len - 1 == NAME_MAX && file[NAME_MAX] != '\0')
       || !__libc_alloca_cutoff (path_len + file_len + 1))
     {
       errno = ENAMETOOLONG;