upstream: Copy arg to be passed to dirname().

POSIX allows dirname() to modify its args and return a pointer into it,
so this prevents an overlapping strlcpy.  bz#3819, patch from cjwatson
at debian.org

OpenBSD-Commit-ID: c32e496e6a1618aba31c8b7a9d4e1376c5ea6aa1

diff --git a/misc.c b/misc.c
index 25465dcd2d4fd9c68482a0ccff7a4939229755b2..f4e02bd04a78367167537c3113ae1f1defcb1cf1 100644 (file)
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.199 2025/05/05 02:48:06 djm Exp $ */
+/* $OpenBSD: misc.c,v 1.200 2025/05/22 03:53:46 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2005-2020 Damien Miller.  All rights reserved.
@@ -2254,7 +2254,7 @@ int
 safe_path(const char *name, struct stat *stp, const char *pw_dir,
     uid_t uid, char *err, size_t errlen)
 {
-       char buf[PATH_MAX], homedir[PATH_MAX];
+       char buf[PATH_MAX], buf2[PATH_MAX], homedir[PATH_MAX];
        char *cp;
        int comparehome = 0;
        struct stat st;
@@ -2280,7 +2280,12 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
 
        /* for each component of the canonical path, walking upwards */
        for (;;) {
-               if ((cp = dirname(buf)) == NULL) {
+               /*
+                * POSIX allows dirname to modify its argument and return a
+                * pointer into it, so make a copy to avoid overlapping strlcpy.
+                */
+               strlcpy(buf2, buf, sizeof(buf2));
+               if ((cp = dirname(buf2)) == NULL) {
                        snprintf(err, errlen, "dirname() failed");
                        return -1;
                }