From bdfaa295cdd5cc454d9e6fddd6b4e066025c806c Mon Sep 17 00:00:00 2001 From: millert Date: Thu, 17 Oct 2024 15:38:38 +0000 Subject: [PATCH] create_tempfile: pass pointer to full pathname to strlcat() Fixes a potential buffer overrun. Also check strlcpy() and strlcat() return value to detect truncations. Based on a diff from naddy@. OK naddy@ tb@ deraadt@ --- usr.bin/xinstall/xinstall.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/usr.bin/xinstall/xinstall.c b/usr.bin/xinstall/xinstall.c index 6183347f22c..dccb178e599 100644 --- a/usr.bin/xinstall/xinstall.c +++ b/usr.bin/xinstall/xinstall.c @@ -1,4 +1,4 @@ -/* $OpenBSD: xinstall.c,v 1.77 2022/12/04 23:50:50 cheloha Exp $ */ +/* $OpenBSD: xinstall.c,v 1.78 2024/10/17 15:38:38 millert Exp $ */ /* $NetBSD: xinstall.c,v 1.9 1995/12/20 10:25:17 jonathan Exp $ */ /* @@ -621,13 +621,19 @@ create_tempfile(char *path, char *temp, size_t tsize) { char *p; - strlcpy(temp, path, tsize); + if (strlcpy(temp, path, tsize) >= tsize) { + errno = ENAMETOOLONG; + return(-1); + } if ((p = strrchr(temp, '/')) != NULL) p++; else p = temp; *p = '\0'; - strlcat(p, "INS@XXXXXXXXXX", tsize); + if (strlcat(temp, "INS@XXXXXXXXXX", tsize) >= tsize) { + errno = ENAMETOOLONG; + return(-1); + } return(mkstemp(temp)); } -- 2.20.1