shm-directory: Truncated struct member name length

The struct shmdir_name in include/shm-directory.h has name field to
contains the full path of the POSIX IPC object (shm and sem).
The size was previously set to sizeof (SHMDIR) + 4 + NAME_MAX, where 4
bytes were reserved for the optional "sem." prefix.

This led to incorrect execution of the __shm_get_name function
in posix/shm-directory.c which is used accross in shm_[open/unlink] and
sem_[open/unlink] functions.

For shm_[open/unlink]:
This is because the name field was large enough to hold 268 characters
(255 + 4 + 9) instead of the maximum allowed 263 characters (255 + 9).
This caused the __shm_get_name to not throw ENAMETOOLONG error when the
name length exceeded NAME_MAX (255) upto 259 characters.

For sem_[open/unlink]:
Similarly, the __shm_get_name incorrectly returned success for names of
length 255 instead of 251 (255 - 4).

This was overlooked as finally these functions throw the correct
ENAMETOOLONG error; which was thrown by the openat syscall, which is
called later in the shm_* and sem_* functions.

This patch corrects the size of name field in struct shmdir_name to
sizeof (SHMDIR) + NAME_MAX. The __shm_get_name function return
ENAMETOOLONG if alloc_buffer_has_failed returns true (which only happens
when copy length > alloc_buffer_size (buffer)).

Relevant runtime monitoring were done in gdb to confirm the same.

Signed-off-by: Prasanna Paithankar <paithankarprasanna@gmail.com>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>

diff --git a/include/shm-directory.h b/include/shm-directory.h
index 1c0f9fcc8913e7b55521b605c8648fc481fc3a0f..8dc5befb96b89d68f9b50c270c027ea910c22ed9 100644 (file)
--- a/include/shm-directory.h
+++ b/include/shm-directory.h
@@ -28,8 +28,8 @@
 struct shmdir_name
 {
   /* The combined prefix/name.  The sizeof includes the terminating
-     NUL byte.  4 bytes are needed for the optional "sem." prefix.  */
-  char name[sizeof (SHMDIR) + 4 + NAME_MAX];
+     NUL byte.  */
+  char name[sizeof (SHMDIR) + NAME_MAX];
 };
 
 /* Sets RESULT->name to the constructed name and returns 0 on success,

diff --git a/posix/shm-directory.c b/posix/shm-directory.c
index c1e9c6c434b9e868686b002b889f735383188c37..b578ada58028ae4d24d796963021567abb3e1273 100644 (file)
--- a/posix/shm-directory.c
+++ b/posix/shm-directory.c
@@ -58,11 +58,7 @@ __shm_get_name (struct shmdir_name *result, const char *name, bool sem_prefix)
   if (namelen == 0 || memchr (name, '/', namelen) != NULL)
     return EINVAL;
   if (alloc_buffer_has_failed (&buffer))
-    {
-      if (namelen > NAME_MAX)
-        return ENAMETOOLONG;
-      return EINVAL;
-    }
+    return ENAMETOOLONG;
   return 0;
 }
 libc_hidden_def (__shm_get_name)