On Sat, Oct 05, 2013 at 03:22:36PM -0600, Todd C. Miller wrote: > On Wed, 28 Aug 2013 22:34:26 -0400, Kenneth R Westerback wrote: > > > > @@ -552,11 +552,16 @@ ELFNAME2(exec,makecmds)(struct proc *p, > > > > > > for (i = 0, pp = ph; i < eh->e_phnum; i++, pp++) { > > > if (pp->p_type == PT_INTERP && !interp) { > > > - if (pp->p_filesz >= MAXPATHLEN) > > > + if (pp->p_filesz < 2 || pp->p_filesz >= MAXPATHLEN) > > > > Still think you're depriving yourself of one character out by using > > ">=" instead of ">". > > I'm not sure about this. We want to limit the path length to > MAXPATHLEN-1 since we include the NUL terminator in MAXPATHLEN. > The buffer we get from namei_pool is MAXPATHLEN long and the > read_from() function just calls vn_rdwr(). If we allow interp to > be MAXPATHLEN, is there any guarantee that it will end in a NUL > byte? > > - todd
My reading at the time convinced me that p_filesz also includes the NUL. So using >= left room for two NULs. But I am not trying to hold up either version, since I don't really understand the relevant code. :-) .... Ken