Pragmatic PHP |
|
2024-11-22 |
|
|
4 |
|
|
Overflows
It is a bit difficult to talk about buffer overflows because we
tend to fix them as soon as we discover them. But some overflows
we have hit in the past include problems in:
There is also a current issue in most libc realpath() calls that is
troublesome.
realpath man page
REALPATH(3) FreeBSD Library Functions Manual REALPATH(3)
NAME
realpath - returns the canonicalized absolute pathname
LIBRARY
Standard C Library (libc, -lc)
SYNOPSIS
#include <sys/param.h>
#include <stdlib.h>
char *
realpath(const char *pathname, char resolved_path[MAXPATHLEN]);
DESCRIPTION
The realpath() function resolves all symbolic links, extra ``/'' charac-
ters and references to /./ and /../ in pathname, and copies the resulting
absolute pathname into the memory referenced by resolved_path. The
resolved_path argument must refer to a buffer capable of storing at least
MAXPATHLEN characters.
The realpath() function will resolve both absolute and relative paths and
return the absolute pathname corresponding to pathname. All but the last
component of pathname must exist when realpath() is called.
RETURN VALUES
The realpath() function returns resolved_path on success. If an error
occurs, realpath() returns NULL, and resolved_path contains the pathname
which caused the problem.
ERRORS
The function realpath() may fail and set the external variable errno for
any of the errors specified for the library functions chdir(2), close(2),
fchdir(2), lstat(2), open(2), readlink(2) and getcwd(3).
CAVEATS
This implementation of realpath() differs slightly from the Solaris
implementation. The 4.4BSD version always returns absolute pathnames,
whereas the Solaris implementation will, under certain circumstances,
return a relative resolved_path when given a relative pathname.
SEE ALSO
getcwd(3)
HISTORY
The realpath() function call first appeared in 4.4BSD.
Imagine this C code
#define DOCROOT "/home/y/share/htdocs"
#define SCRIPT "my_script"
int len = sizeof(DOCROOT)
+ sizeof(SCRIPT);
+ strlen(user_input);
char *path = (char *)malloc(len+1);
char safe_path[MAXPATHLEN];
snprintf(path, len, "%s/%s/%s", DOCROOT, user_input, SCRIPT);
if(realpath(path, safe_path)) {
DIR *dir = opendir(safe_path);
...
}
Problem code in FreeBSD realpath.c
...
resolved_len = strlcat(resolved, next_token, PATH_MAX);
if (resolved_len >= PATH_MAX) {
errno = ENAMETOOLONG;
return (NULL);
}
...
It makes sure we never get a string back longer than PATH_MAX, but
the silent strlcat truncation of the tokenized source path is a big problem!