NetBSD Problem Report #39746

From www@NetBSD.org  Thu Oct 16 05:04:43 2008
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id 6CD2A63BC83
	for <gnats-bugs@gnats.netbsd.org>; Thu, 16 Oct 2008 05:04:43 +0000 (UTC)
Message-Id: <20081016050443.0DFB563BAC6@narn.NetBSD.org>
Date: Thu, 16 Oct 2008 05:04:43 +0000 (UTC)
From: abutter.gao@gmail.com
Reply-To: abutter.gao@gmail.com
To: gnats-bugs@NetBSD.org
Subject: Too small buffer for long TMPDIR and unlinked-file in src/usr.bin/config/main.c
X-Send-Pr-Version: www-1.0

>Number:         39746
>Category:       bin
>Synopsis:       Too small buffer for long TMPDIR and unlinked-file in src/usr.bin/config/main.c
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Oct 16 05:05:00 +0000 2008
>Closed-Date:    Thu Oct 16 05:42:12 +0000 2008
>Last-Modified:  Thu Oct 16 18:40:01 +0000 2008
>Originator:     Gao Ya'nan
>Release:        NetBSD-current and NetBSD-4.0
>Organization:
>Environment:
NetBSD abutter.foo.org 4.0 NetBSD 4.0 (GENERIC) #0: Sun Dec 16 00:20:10 PST 2007  builds@wb34:/home/builds/ab/netbsd-4-0-RELEASE/i386/200712160005Z-obj/home/builds/ab/netbsd-4-0-RELEASE/src/sys/arch/i386/compile/GENERIC i386

>Description:
----------------------------------->cut<----------------------------------------
int
main(int argc, char **argv)
{
        char *p, cname[20];
        const char *last_component;
----------------------------------->cut<----------------------------------------

So, cname only takes 20 bytes.

----------------------------------->cut<----------------------------------------
                /* Open temporary configuration file */
                tmpdir = getenv("TMPDIR");
                if (tmpdir == NULL)
                        tmpdir = "/tmp";
                snprintf(cname, sizeof(cname), "%s/config.tmp.XXXXXX", tmpdir);
                cfd = mkstemp(cname);
                if (cfd == -1)
                        err(EXIT_FAILURE, "Cannot create `%s'", cname);

                printf("Using configuration data embedded in kernel...\n");
                if (!extract_config(conffile, cname, cfd))
                        errx(EXIT_FAILURE, "%s does not contain embedded "
                            "configuration data", conffile);

                removeit = 1;
                close(cfd);
                firstfile(cname);
----------------------------------->cut<----------------------------------------

First, if $TMPDIR is more than 7 bytes, 'XXXXXX' will be lost, and if $TMPDIR is longer enough, full name will be truncated

Second, extract_config() returns with 0, there will be an unlink-ed file in TMPDIR or above directory.

>How-To-Repeat:
TMPDIR=/mnt/averylongtmpdirforconfig config -b /mnt/build netbsd
>Fix:
1, change the size of cname to MAXPATHLEN;
2, unlinked the file if extract_config returns with 0.

>Release-Note:

>Audit-Trail:
From: "David A. Holland" <dholland@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/39746 CVS commit: src/usr.bin/config
Date: Thu, 16 Oct 2008 05:35:01 +0000 (UTC)

 Module Name:	src
 Committed By:	dholland
 Date:		Thu Oct 16 05:35:01 UTC 2008

 Modified Files:
 	src/usr.bin/config: main.c

 Log Message:
 Fix ridiculously small filename buffer for temporary file and resulting
 truncation if $TMPDIR is set; also, fix an error path to not leave the
 temporary file behind. From Gao Ya'nan in PR 39746.
 While here, use _PATH_TMP instead of a hardwired "/tmp".


 To generate a diff of this commit:
 cvs rdiff -r1.29 -r1.30 src/usr.bin/config/main.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Thu, 16 Oct 2008 05:42:12 +0000
State-Changed-Why:
Fixed in HEAD.
I'm not going to request this be pulled up to netbsd-4 because it's noncritical
and has some chance of breaking cross-building.


From: "Greg A. Woods; Planix, Inc." <woods@planix.ca>
To: gnats-bugs@NetBSD.org
Cc: dholland@NetBSD.org,
 abutter.gao@gmail.com
Subject: Re: bin/39746 (Too small buffer for long TMPDIR and unlinked-file in src/usr.bin/config/main.c)
Date: Thu, 16 Oct 2008 11:02:06 -0400

 This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
 --Apple-Mail-43-1048990712
 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
 Content-Transfer-Encoding: 7bit


 On 16-Oct-08, at 1:42 AM, dholland@netbsd.org wrote:

 > Synopsis: Too small buffer for long TMPDIR and unlinked-file in src/ 
 > usr.bin/config/main.c
 >
 > State-Changed-From-To: open->closed
 > State-Changed-By: dholland@NetBSD.org
 > State-Changed-When: Thu, 16 Oct 2008 05:42:12 +0000
 > State-Changed-Why:
 > Fixed in HEAD.
 > I'm not going to request this be pulled up to netbsd-4 because it's  
 > noncritical
 > and has some chance of breaking cross-building.

 Are you worried about new the use of _PATH_TMP?  That's already  
 covered in the toools/compat headers fetched by nbtool_config.h so it  
 shouldn't cause any problems.

 I'm not quite sure how such an otherwise serious bug fix could cause  
 problems for cross-building.

 -- 
 					Greg A. Woods; Planix, Inc.
 					<woods@planix.ca>


 --Apple-Mail-43-1048990712
 content-type: application/pgp-signature; x-mac-type=70674453;
 	name=PGP.sig
 content-description: This is a digitally signed message part
 content-disposition: inline; filename=PGP.sig
 content-transfer-encoding: 7bit

 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.8 (Darwin)

 iD8DBQFI91duZn1xt3i/9H8RAh4JAKD1DgeB/k8CHtDeztxpcb86NkY6xgCggoIE
 5buQUo6evT716iZpHWYCvYs=
 =Wvzw
 -----END PGP SIGNATURE-----

 --Apple-Mail-43-1048990712--

From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, abutter.gao@gmail.com
Subject: Re: bin/39746 (Too small buffer for long TMPDIR and unlinked-file
	in src/usr.bin/config/main.c)
Date: Thu, 16 Oct 2008 18:36:57 +0000

 On Thu, Oct 16, 2008 at 03:05:05PM +0000, Greg A. Woods; Planix, Inc. wrote:
  >> I'm not going to request this be pulled up to netbsd-4 because it's  
  >> noncritical and has some chance of breaking cross-building.
  >  
  >  Are you worried about new the use of _PATH_TMP?  That's already  
  >  covered in the toools/compat headers fetched by nbtool_config.h so it  
  >  shouldn't cause any problems.
  >  
  >  I'm not quite sure how such an otherwise serious bug fix could cause  
  >  problems for cross-building.

 The change added a couple headers and symbols that weren't previously
 used. We try to build on a lot of broken platforms. Meanwhile, it is a
 minor issue and not worth spending time on.

 -- 
 David A. Holland
 dholland@netbsd.org

>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.