From a787fc5c556cbbc7f3de308d25b7527f9da5a0da Mon Sep 17 00:00:00 2001

From: "Barton E. Schaefer" <schaefer@zsh.org>

Date: Sun, 19 Jan 2014 17:41:06 -0800

Subject: [PATCH 1/3] 32294: prevent buffer overflow when scanning very long

 directory paths for symbolic links

Upstream-commit: 3e06aeabd8a9e8384ebaa8b08996cd1f64737210

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 Src/utils.c | 31 ++++++++++++++++++-------------

 1 file changed, 18 insertions(+), 13 deletions(-)

diff --git a/Src/utils.c b/Src/utils.c

index 20fa59d..a197ef8 100644

--- a/Src/utils.c

+++ b/Src/utils.c

@@ -726,32 +726,36 @@ xsymlinks(char *s)

     char **pp, **opp;

     char xbuf2[PATH_MAX*2], xbuf3[PATH_MAX*2];

     int t0, ret = 0;

+    zulong xbuflen = strlen(xbuf);

     opp = pp = slashsplit(s);

-    for (; *pp; pp++) {

-	if (!strcmp(*pp, ".")) {

-	    zsfree(*pp);

+    for (; xbuflen < sizeof(xbuf) && *pp; pp++) {

+	if (!strcmp(*pp, "."))

 	    continue;

-	}

 	if (!strcmp(*pp, "..")) {

 	    char *p;

-	    zsfree(*pp);

 	    if (!strcmp(xbuf, "/"))

 		continue;

 	    if (!*xbuf)

 		continue;

-	    p = xbuf + strlen(xbuf);

-	    while (*--p != '/');

+	    p = xbuf + xbuflen;

+	    while (*--p != '/')

+		xbuflen--;

 	    *p = '\0';

 	    continue;

 	}

 	sprintf(xbuf2, "%s/%s", xbuf, *pp);

 	t0 = readlink(unmeta(xbuf2), xbuf3, PATH_MAX);

 	if (t0 == -1) {

-	    strcat(xbuf, "/");

-	    strcat(xbuf, *pp);

-	    zsfree(*pp);

+	    zulong pplen = strlen(*pp) + 1;

+	    if ((xbuflen += pplen) < sizeof(xbuf)) {

+		strcat(xbuf, "/");

+		strcat(xbuf, *pp);

+	    } else {

+		*xbuf = 0;

+		break;

+	    }

 	} else {

 	    ret = 1;

 	    metafy(xbuf3, t0, META_NOALLOC);

@@ -760,10 +764,9 @@ xsymlinks(char *s)

 		xsymlinks(xbuf3 + 1);

 	    } else

 		xsymlinks(xbuf3);

-	    zsfree(*pp);

 	}

     }

-    free(opp);

+    freearray(opp);

     return ret;

 }

@@ -780,8 +783,10 @@ xsymlink(char *s)

 	return NULL;

     *xbuf = '\0';

     xsymlinks(s + 1);

-    if (!*xbuf)

+    if (!*xbuf) {

+	zwarn("path expansion failed, using root directory");

 	return ztrdup("/");

+    }

     return ztrdup(xbuf);

 }

-- 

2.14.3

From a2de3957b1e6f23c593c47df0a850a8272e7c06a Mon Sep 17 00:00:00 2001

From: "Barton E. Schaefer" <schaefer@zsh.org>

Date: Fri, 15 Aug 2014 10:19:54 -0700

Subject: [PATCH 2/3] 33012: add an error return value (-1) to xsymlinks()

Upstream-commit: 47d91c5fba6bc90d79503b7c69c6146abb8825f5

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 Src/utils.c | 15 ++++++++-------

 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/Src/utils.c b/Src/utils.c

index a197ef8..d3e5812 100644

--- a/Src/utils.c

+++ b/Src/utils.c

@@ -717,7 +717,6 @@ slashsplit(char *s)

 }

 /* expands symlinks and .. or . expressions */

-/* if flag = 0, only expand .. and . expressions */

 /**/

 static int

@@ -754,6 +753,7 @@ xsymlinks(char *s)

 		strcat(xbuf, *pp);

 	    } else {

 		*xbuf = 0;

+		ret = -1;

 		break;

 	    }

 	} else {

@@ -761,9 +761,11 @@ xsymlinks(char *s)

 	    metafy(xbuf3, t0, META_NOALLOC);

 	    if (*xbuf3 == '/') {

 		strcpy(xbuf, "");

-		xsymlinks(xbuf3 + 1);

+		if (xsymlinks(xbuf3 + 1) < 0)

+		    ret = -1;

 	    } else

-		xsymlinks(xbuf3);

+		if (xsymlinks(xbuf3) < 0)

+		    ret = -1;

 	}

     }

     freearray(opp);

@@ -782,11 +784,10 @@ xsymlink(char *s)

     if (*s != '/')

 	return NULL;

     *xbuf = '\0';

-    xsymlinks(s + 1);

-    if (!*xbuf) {

+    if (xsymlinks(s + 1) < 0)

 	zwarn("path expansion failed, using root directory");

+    if (!*xbuf)

 	return ztrdup("/");

-    }

     return ztrdup(xbuf);

 }

@@ -796,7 +797,7 @@ print_if_link(char *s)

 {

     if (*s == '/') {

 	*xbuf = '\0';

-	if (xsymlinks(s + 1))

+	if (xsymlinks(s + 1) > 0)

 	    printf(" -> "), zputs(*xbuf ? xbuf : "/", stdout);

     }

 }

-- 

2.20.1

From c84057916eb96714c03fb0072ad0929152e48f0a Mon Sep 17 00:00:00 2001

From: Peter Stephenson <p.w.stephenson@ntlworld.com>

Date: Thu, 13 Nov 2014 19:44:01 +0000

Subject: [PATCH 3/3] Marc Finet: problems with working directory

 rationalisation.

Ensure the length of the directory is kept up to date.

Abort following symlinks as soon as there's an error.

Upstream-commit: c01a178ece6740f719fef81ecdf9283b5c8b71d5

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 Src/utils.c | 6 +++++-

 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/Src/utils.c b/Src/utils.c

index d3e5812..e2ffc38 100644

--- a/Src/utils.c

+++ b/Src/utils.c

@@ -728,7 +728,7 @@ xsymlinks(char *s)

     zulong xbuflen = strlen(xbuf);

     opp = pp = slashsplit(s);

-    for (; xbuflen < sizeof(xbuf) && *pp; pp++) {

+    for (; xbuflen < sizeof(xbuf) && *pp && ret >= 0; pp++) {

 	if (!strcmp(*pp, "."))

 	    continue;

 	if (!strcmp(*pp, "..")) {

@@ -763,9 +763,13 @@ xsymlinks(char *s)

 		strcpy(xbuf, "");

 		if (xsymlinks(xbuf3 + 1) < 0)

 		    ret = -1;

+		else

+		    xbuflen = strlen(xbuf);

 	    } else

 		if (xsymlinks(xbuf3) < 0)

 		    ret = -1;

+		else

+		    xbuflen = strlen(xbuf);

 	}

     }

     freearray(opp);

-- 

2.20.1