From: Brian Behlendorf <behlendorf1@llnl.gov>
Date: Thu, 4 Oct 2012 19:54:47 +0000 (-0700)
Subject: Realpath arg 2 must be a minimum of PATH_MAX
X-Git-Url: https://git.camperquake.de/gitweb.cgi?a=commitdiff_plain;h=ae380cfa76e4d61bc6373b6b4e97bc3cac0a3a6e;hp=5be98cfe2fd81145c9c16ddbe3b4d7d52f687157;p=zfs.git

Realpath arg 2 must be a minimum of PATH_MAX

The realpath(3) function expects that when a buffer is passed
for the 'resolved_path' that it be at least PATH_MAX in length.
If it's not a buffer overflow may occur.

Therefore the passed buffer size is changed from MAXNAMELEN to
MAXPATHLEN.  We also take this opertunity to dynamically allocate
the buffer to keep it off the stack.

  warning: call to '__realpath_chk_warn' declared with attribute
  warning: second argument of realpath must be either NULL or at
  least PATH_MAX bytes long buffer [enabled by default]

Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
---

diff --git a/cmd/ztest/ztest.c b/cmd/ztest/ztest.c
index 09f3d56..4479c59 100644
--- a/cmd/ztest/ztest.c
+++ b/cmd/ztest/ztest.c
@@ -729,13 +729,16 @@ process_options(int argc, char **argv)
 	    UINT64_MAX >> 2);
 
 	if (strlen(altdir) > 0) {
-		char cmd[MAXNAMELEN];
-		char realaltdir[MAXNAMELEN];
+		char *cmd;
+		char *realaltdir;
 		char *bin;
 		char *ztest;
 		char *isa;
 		int isalen;
 
+		cmd = umem_alloc(MAXPATHLEN, UMEM_NOFAIL);
+		realaltdir = umem_alloc(MAXPATHLEN, UMEM_NOFAIL);
+
 		VERIFY(NULL != realpath(getexecname(), cmd));
 		if (0 != access(altdir, F_OK)) {
 			ztest_dump_core = B_FALSE;
@@ -767,6 +770,9 @@ process_options(int argc, char **argv)
 			fatal(B_TRUE, "invalid alternate lib directory %s",
 			    zo->zo_alt_libpath);
 		}
+
+		umem_free(cmd, MAXPATHLEN);
+		umem_free(realaltdir, MAXPATHLEN);
 	}
 }