mirror/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2025-12-20 01:12:17 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

shm-directory: Truncated struct member name length

Browse Source 
The struct shmdir_name in include/shm-directory.h has name field to
contains the full path of the POSIX IPC object (shm and sem).
The size was previously set to sizeof (SHMDIR) + 4 + NAME_MAX, where 4
bytes were reserved for the optional "sem." prefix.

This led to incorrect execution of the __shm_get_name function
in posix/shm-directory.c which is used accross in shm_[open/unlink] and
sem_[open/unlink] functions.

For shm_[open/unlink]:
This is because the name field was large enough to hold 268 characters
(255 + 4 + 9) instead of the maximum allowed 263 characters (255 + 9).
This caused the __shm_get_name to not throw ENAMETOOLONG error when the
name length exceeded NAME_MAX (255) upto 259 characters.

For sem_[open/unlink]:
Similarly, the __shm_get_name incorrectly returned success for names of
length 255 instead of 251 (255 - 4).

This was overlooked as finally these functions throw the correct
ENAMETOOLONG error; which was thrown by the openat syscall, which is
called later in the shm_* and sem_* functions.

This patch corrects the size of name field in struct shmdir_name to
sizeof (SHMDIR) + NAME_MAX. The __shm_get_name function return
ENAMETOOLONG if alloc_buffer_has_failed returns true (which only happens
when copy length > alloc_buffer_size (buffer)).

Relevant runtime monitoring were done in gdb to confirm the same.

Signed-off-by: Prasanna Paithankar <paithankarprasanna@gmail.com>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
This commit is contained in:
Prasanna Paithankar
2025-09-05 04:54:34 +05:30
committed by Adhemerval Zanella
parent 4324a1490e
commit 4ae9b66048
2 changed files with 3 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
include/shm-directory.h
View File

@@ -28,8 +28,8 @@
struct shmdir_name
{
/* The combined prefix/name. The sizeof includes the terminating
NUL byte. 4 bytes are needed for the optional "sem." prefix. */
char name[sizeof (SHMDIR) + 4 + NAME_MAX];
NUL byte. */
char name[sizeof (SHMDIR) + NAME_MAX];
};
/* Sets RESULT->name to the constructed name and returns 0 on success,

6
posix/shm-directory.c
View File

@@ -58,11 +58,7 @@ __shm_get_name (struct shmdir_name *result, const char *name, bool sem_prefix)
if (namelen == 0 || memchr (name, '/', namelen) != NULL)
return EINVAL;
if (alloc_buffer_has_failed (&buffer))
{
if (namelen > NAME_MAX)
return ENAMETOOLONG;
return EINVAL;
}
return ENAMETOOLONG;
return 0;
}
libc_hidden_def (__shm_get_name)