From: deraadt Date: Wed, 15 Dec 2021 04:00:15 +0000 (+0000) Subject: PATH_MAX+1 rarely makes sense, and abort if this happens in the imsg. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=83adb6b7a3307c10968eddcbf72edb4248771225;p=openbsd PATH_MAX+1 rarely makes sense, and abort if this happens in the imsg. ok jmatthew millert --- diff --git a/usr.sbin/ldapd/ldapd.c b/usr.sbin/ldapd/ldapd.c index eb3ff811e34..0bb6a59b674 100644 --- a/usr.sbin/ldapd/ldapd.c +++ b/usr.sbin/ldapd/ldapd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ldapd.c,v 1.29 2021/07/14 13:33:57 kn Exp $ */ +/* $OpenBSD: ldapd.c,v 1.30 2021/12/15 04:00:15 deraadt Exp $ */ /* * Copyright (c) 2009, 2010 Martin Hedenfalk @@ -381,8 +381,8 @@ ldapd_open_request(struct imsgev *iev, struct imsg *imsg) if (imsg->hdr.len != sizeof(*oreq) + IMSG_HEADER_SIZE) fatal("invalid size of open request"); - /* make sure path is null-terminated */ - oreq->path[PATH_MAX] = '\0'; + if (oreq->path[PATH_MAX-1] != '\0') + fatal("bogus path"); if (strncmp(oreq->path, datadir, strlen(datadir)) != 0) { log_warnx("refusing to open file %s", oreq->path); diff --git a/usr.sbin/ldapd/ldapd.h b/usr.sbin/ldapd/ldapd.h index 0f9988d7fac..39ed38d6aa8 100644 --- a/usr.sbin/ldapd/ldapd.h +++ b/usr.sbin/ldapd/ldapd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ldapd.h,v 1.35 2021/04/20 21:11:56 dv Exp $ */ +/* $OpenBSD: ldapd.h,v 1.36 2021/12/15 04:00:15 deraadt Exp $ */ /* * Copyright (c) 2009, 2010 Martin Hedenfalk @@ -283,7 +283,7 @@ struct auth_res }; struct open_req { - char path[PATH_MAX+1]; + char path[PATH_MAX]; unsigned int rdonly; }; diff --git a/usr.sbin/ldapd/ldape.c b/usr.sbin/ldapd/ldape.c index 4a716b9f9b0..6a6c8f1c0f3 100644 --- a/usr.sbin/ldapd/ldape.c +++ b/usr.sbin/ldapd/ldape.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ldape.c,v 1.34 2021/04/20 21:11:56 dv Exp $ */ +/* $OpenBSD: ldape.c,v 1.35 2021/12/15 04:00:15 deraadt Exp $ */ /* * Copyright (c) 2009, 2010 Martin Hedenfalk @@ -545,8 +545,8 @@ ldape_open_result(struct imsg *imsg) if (imsg->hdr.len != sizeof(*oreq) + IMSG_HEADER_SIZE) fatal("invalid size of open result"); - /* make sure path is null-terminated */ - oreq->path[PATH_MAX] = '\0'; + if (oreq->path[PATH_MAX-1] != '\0') + fatal("bogus path"); log_debug("open(%s) returned fd %d", oreq->path, imsg->fd);