Handle fpathconf() errors.

In one place snapper calls fpathconf(.., _PC_NAME_MAX) to determine the size of
a buffer used to hold readdir_r() results.  fpathconf() may return -1 on error,
but this fpathconf() call's return value is unchecked.  This can result in
allocating a buffer that is too small for readdir_r()'s results, resulting in
out-of-bounds memory access.

Fix it by falling back to using NAME_MAX if fpathconf(.., _PC_NAME_MAX) fails.

Signed-off-by: Justin Maggard <jmaggard@netgear.com>

diff --git a/snapper/FileUtils.cc b/snapper/FileUtils.cc
index 3017451bf0ecfbad702e62d667649e76f3e96d60..78ff7a395a5949d27a22f71a5d9a31ffa8c28eeb 100644 (file)
--- a/snapper/FileUtils.cc
+++ b/snapper/FileUtils.cc
@@ -207,7 +207,10 @@ namespace snapper
 
        vector<string> ret;
 
-       size_t len = offsetof(struct dirent, d_name) + fpathconf(dirfd, _PC_NAME_MAX) + 1;
+       long sz = fpathconf(dirfd, _PC_NAME_MAX);
+       if (sz == -1)
+           sz = NAME_MAX;
+       size_t len = offsetof(struct dirent, d_name) + sz + 1;
        struct dirent* ep = (struct dirent*) malloc(len);
        struct dirent* epp;