From: Pádraig Brady <P@draigBrady.com>
Date: Fri, 14 Nov 2025 13:58:58 +0000 (+0000)
Subject: posix: execvpe: fix UMR with file > NAME_MAX [BZ #33627]
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=efc8642051e6c4fe5165e8986c1338ba2c180de6;p=thirdparty%2Fglibc.git

posix: execvpe: fix UMR with file > NAME_MAX [BZ #33627]

* posix/execvpe.c (__execvpe_common): Since strnlen doesn't inspect
beyond NAME_MAX and NAME_MAX does not cover the NUL, we need
to explicitly check for the NUL.  I.e. the existing check for,
file_len-1 > NAME_MAX, was never true.  This check is required
so that we're guaranteed that file_len includes the NUL, as we
depend on that in the following memcpy to properly terminate
the file buffer passed to execve().  Otherwise that call will trigger
UMR when inspecting the passed file, which can be seen with valgrind.
Note returning ENAMETOOLONG early here for FILE names > NAME_MAX
will also avoid redundant processing of ENAMETOOLONG on each entry
in $PATH, after the change in [BZ #33626] is applied.

Reviewed-by: Collin Funk <collin.funk1@gmail.com>
---

diff --git a/posix/execvpe.c b/posix/execvpe.c
index c139dfe8fd..de5fc14eda 100644
--- a/posix/execvpe.c
+++ b/posix/execvpe.c
@@ -98,8 +98,9 @@ __execvpe_common (const char *file, char *const argv[], char *const envp[],
   size_t file_len = __strnlen (file, NAME_MAX) + 1;
   size_t path_len = __strnlen (path, PATH_MAX - 1) + 1;
 
-  /* NAME_MAX does not include the terminating null character.  */
-  if ((file_len - 1 > NAME_MAX)
+  /* NAME_MAX does not include the terminating NUL character.
+     The following check ensures FILE is NUL terminated.  */
+  if ((file_len - 1 == NAME_MAX && file[NAME_MAX] != '\0')
       || !__libc_alloca_cutoff (path_len + file_len + 1))
     {
       errno = ENAMETOOLONG;