From: Justin Maggard Date: Wed, 15 Jul 2015 19:26:47 +0000 (-0700) Subject: Handle fpathconf() errors. X-Git-Tag: v0.2.8~4^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fe7fcaa0c2c9229cd5c1e24766a2a5ee67ef5a24;p=thirdparty%2Fsnapper.git Handle fpathconf() errors. In one place snapper calls fpathconf(.., _PC_NAME_MAX) to determine the size of a buffer used to hold readdir_r() results. fpathconf() may return -1 on error, but this fpathconf() call's return value is unchecked. This can result in allocating a buffer that is too small for readdir_r()'s results, resulting in out-of-bounds memory access. Fix it by falling back to using NAME_MAX if fpathconf(.., _PC_NAME_MAX) fails. Signed-off-by: Justin Maggard --- diff --git a/snapper/FileUtils.cc b/snapper/FileUtils.cc index 3017451b..78ff7a39 100644 --- a/snapper/FileUtils.cc +++ b/snapper/FileUtils.cc @@ -207,7 +207,10 @@ namespace snapper vector ret; - size_t len = offsetof(struct dirent, d_name) + fpathconf(dirfd, _PC_NAME_MAX) + 1; + long sz = fpathconf(dirfd, _PC_NAME_MAX); + if (sz == -1) + sz = NAME_MAX; + size_t len = offsetof(struct dirent, d_name) + sz + 1; struct dirent* ep = (struct dirent*) malloc(len); struct dirent* epp;