From: Prasanna Paithankar <paithankarprasanna@gmail.com>
Date: Thu, 4 Sep 2025 23:24:34 +0000 (+0530)
Subject: shm-directory: Truncated struct member name length
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4ae9b660486c719f40b39a00619890c4aeeee881;p=thirdparty%2Fglibc.git

shm-directory: Truncated struct member name length

The struct shmdir_name in include/shm-directory.h has name field to
contains the full path of the POSIX IPC object (shm and sem).
The size was previously set to sizeof (SHMDIR) + 4 + NAME_MAX, where 4
bytes were reserved for the optional "sem." prefix.

This led to incorrect execution of the __shm_get_name function
in posix/shm-directory.c which is used accross in shm_[open/unlink] and
sem_[open/unlink] functions.

For shm_[open/unlink]:
This is because the name field was large enough to hold 268 characters
(255 + 4 + 9) instead of the maximum allowed 263 characters (255 + 9).
This caused the __shm_get_name to not throw ENAMETOOLONG error when the
name length exceeded NAME_MAX (255) upto 259 characters.

For sem_[open/unlink]:
Similarly, the __shm_get_name incorrectly returned success for names of
length 255 instead of 251 (255 - 4).

This was overlooked as finally these functions throw the correct
ENAMETOOLONG error; which was thrown by the openat syscall, which is
called later in the shm_* and sem_* functions.

This patch corrects the size of name field in struct shmdir_name to
sizeof (SHMDIR) + NAME_MAX. The __shm_get_name function return
ENAMETOOLONG if alloc_buffer_has_failed returns true (which only happens
when copy length > alloc_buffer_size (buffer)).

Relevant runtime monitoring were done in gdb to confirm the same.

Signed-off-by: Prasanna Paithankar <paithankarprasanna@gmail.com>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
---

diff --git a/include/shm-directory.h b/include/shm-directory.h
index 1c0f9fcc89..8dc5befb96 100644
--- a/include/shm-directory.h
+++ b/include/shm-directory.h
@@ -28,8 +28,8 @@
 struct shmdir_name
 {
   /* The combined prefix/name.  The sizeof includes the terminating
-     NUL byte.  4 bytes are needed for the optional "sem." prefix.  */
-  char name[sizeof (SHMDIR) + 4 + NAME_MAX];
+     NUL byte.  */
+  char name[sizeof (SHMDIR) + NAME_MAX];
 };
 
 /* Sets RESULT->name to the constructed name and returns 0 on success,
diff --git a/posix/shm-directory.c b/posix/shm-directory.c
index c1e9c6c434..b578ada580 100644
--- a/posix/shm-directory.c
+++ b/posix/shm-directory.c
@@ -58,11 +58,7 @@ __shm_get_name (struct shmdir_name *result, const char *name, bool sem_prefix)
   if (namelen == 0 || memchr (name, '/', namelen) != NULL)
     return EINVAL;
   if (alloc_buffer_has_failed (&buffer))
-    {
-      if (namelen > NAME_MAX)
-        return ENAMETOOLONG;
-      return EINVAL;
-    }
+    return ENAMETOOLONG;
   return 0;
 }
 libc_hidden_def (__shm_get_name)