Re: overflow() at stdlib.h

[Rich Felker <dalias@libc.org>]

On Thu, Jul 12, 2018 at 07:55:56PM +0530, m0rtal f!w wrote:
> Team,
> 
> File: stdlib.h#L:113
> 
> i.e
> char *realpath (const char *__restrict, char *__restrict);
> 
> According to the documentation of realpath() the output buffer needs to be
> at least of size PATH_MAX specifying output buffers large enough to handle
> the maximum-size possible result from path manipulation functions. (In that
> instance, buf's size comes from uv__fs_pathmax_size(). That function
> attempts to use pathconf(path, _PC_PATH_MAX) as noted in the realpath(3)
> docs)

There is no provision in the specification of realpath for use of
pathconf or other facilities for determining a maximum buffer size;
the resolved_name buffer argument must either point to an array of at
least PATH_MAX size, or must be a null pointer, in which case realpath
will allocate storage. Only the latter option when the implementation
does not define PATH_MAX, but musl always defines PATH_MAX.

> But over here uv__fs_pathmax_size() nor pathconf(path, _PC_PATH_MAX) is
> used.

I don't understand what you mean by "is used" here. The only file you
cited is header declarations only, no code, and the declaration is
exactly the only thing it's permitted to be (the one mandated by the
standard).

> Passing an inadequately-sized output buffer to a path manipulation function
> can result in a buffer overflow. Such functions include realpath()
> readlink() PathAppend() and others.
> 
> Request team to have a look and validate.

If an application is not passing an adequately-sized (note: this means
PATH_MAX, not anything else!) buffer, that is an application bug and
the application has undefined behavior.

Rich