PATH_MAX+1 rarely makes sense, and abort if this happens in the imsg.

ok jmatthew millert

diff --git a/usr.sbin/ldapd/ldapd.c b/usr.sbin/ldapd/ldapd.c
index eb3ff81..0bb6a59 100644 (file)
--- a/usr.sbin/ldapd/ldapd.c
+++ b/usr.sbin/ldapd/ldapd.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ldapd.c,v 1.29 2021/07/14 13:33:57 kn Exp $ */
+/*     $OpenBSD: ldapd.c,v 1.30 2021/12/15 04:00:15 deraadt Exp $ */
 
 /*
  * Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se>
@@ -381,8 +381,8 @@ ldapd_open_request(struct imsgev *iev, struct imsg *imsg)
        if (imsg->hdr.len != sizeof(*oreq) + IMSG_HEADER_SIZE)
                fatal("invalid size of open request");
 
-       /* make sure path is null-terminated */
-       oreq->path[PATH_MAX] = '\0';
+       if (oreq->path[PATH_MAX-1] != '\0')
+               fatal("bogus path");
 
        if (strncmp(oreq->path, datadir, strlen(datadir)) != 0) {
                log_warnx("refusing to open file %s", oreq->path);

diff --git a/usr.sbin/ldapd/ldapd.h b/usr.sbin/ldapd/ldapd.h
index 0f9988d..39ed38d 100644 (file)
--- a/usr.sbin/ldapd/ldapd.h
+++ b/usr.sbin/ldapd/ldapd.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ldapd.h,v 1.35 2021/04/20 21:11:56 dv Exp $ */
+/*     $OpenBSD: ldapd.h,v 1.36 2021/12/15 04:00:15 deraadt Exp $ */
 
 /*
  * Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se>
@@ -283,7 +283,7 @@ struct auth_res
 };
 
 struct open_req {
-       char                     path[PATH_MAX+1];
+       char                     path[PATH_MAX];
        unsigned int             rdonly;
 };
 

diff --git a/usr.sbin/ldapd/ldape.c b/usr.sbin/ldapd/ldape.c
index 4a716b9..6a6c8f1 100644 (file)
--- a/usr.sbin/ldapd/ldape.c
+++ b/usr.sbin/ldapd/ldape.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ldape.c,v 1.34 2021/04/20 21:11:56 dv Exp $ */
+/*     $OpenBSD: ldape.c,v 1.35 2021/12/15 04:00:15 deraadt Exp $ */
 
 /*
  * Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se>
@@ -545,8 +545,8 @@ ldape_open_result(struct imsg *imsg)
        if (imsg->hdr.len != sizeof(*oreq) + IMSG_HEADER_SIZE)
                fatal("invalid size of open result");
 
-       /* make sure path is null-terminated */
-       oreq->path[PATH_MAX] = '\0';
+       if (oreq->path[PATH_MAX-1] != '\0')
+               fatal("bogus path");
 
        log_debug("open(%s) returned fd %d", oreq->path, imsg->fd);