1 | /* Bug 22786: test for buffer overflow in realpath. |
2 | Copyright (C) 2018-2022 Free Software Foundation, Inc. |
3 | This file is part of the GNU C Library. |
4 | |
5 | The GNU C Library is free software; you can redistribute it and/or |
6 | modify it under the terms of the GNU Lesser General Public |
7 | License as published by the Free Software Foundation; either |
8 | version 2.1 of the License, or (at your option) any later version. |
9 | |
10 | The GNU C Library is distributed in the hope that it will be useful, |
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
13 | Lesser General Public License for more details. |
14 | |
15 | You should have received a copy of the GNU Lesser General Public |
16 | License along with the GNU C Library; if not, see |
17 | <https://www.gnu.org/licenses/>. */ |
18 | |
19 | /* This file must be run from within a directory called "stdlib". */ |
20 | |
21 | #include <errno.h> |
22 | #include <limits.h> |
23 | #include <stdio.h> |
24 | #include <stdlib.h> |
25 | #include <string.h> |
26 | #include <unistd.h> |
27 | #include <sys/stat.h> |
28 | #include <sys/types.h> |
29 | #include <support/blob_repeat.h> |
30 | #include <support/check.h> |
31 | #include <support/support.h> |
32 | #include <support/temp_file.h> |
33 | #include <support/test-driver.h> |
34 | #include <libc-diag.h> |
35 | |
36 | static int |
37 | do_test (void) |
38 | { |
39 | char *dir = support_create_temp_directory (base: "bz22786." ); |
40 | char *lnk = xasprintf (format: "%s/symlink" , dir); |
41 | const size_t path_len = (size_t) INT_MAX + strlen (lnk) + 1; |
42 | |
43 | struct support_blob_repeat repeat |
44 | = support_blob_repeat_allocate (element: "a" , element_size: 1, count: path_len); |
45 | char *path = repeat.start; |
46 | if (path == NULL) |
47 | { |
48 | printf (format: "Repeated allocation (%zu bytes): %m\n" , path_len); |
49 | /* On 31-bit s390 the malloc will always fail as we do not have |
50 | so much memory, and we want to mark the test unsupported. |
51 | Likewise on systems with little physical memory the test will |
52 | fail and should be unsupported. */ |
53 | return EXIT_UNSUPPORTED; |
54 | } |
55 | |
56 | TEST_VERIFY_EXIT (symlink ("." , lnk) == 0); |
57 | |
58 | /* Construct very long path = "/tmp/bz22786.XXXX/symlink/aaaa....." */ |
59 | char *p = mempcpy (path, lnk, strlen (lnk)); |
60 | *(p++) = '/'; |
61 | p[path_len - (p - path) - 1] = '\0'; |
62 | |
63 | /* This call crashes before the fix for bz22786 on 32-bit platforms. */ |
64 | p = realpath (name: path, NULL); |
65 | TEST_VERIFY (p == NULL); |
66 | /* For 64-bit platforms readlink return ENAMETOOLONG, while for 32-bit |
67 | realpath will try to allocate a buffer larger than PTRDIFF_MAX. */ |
68 | TEST_VERIFY (errno == ENOMEM || errno == ENAMETOOLONG); |
69 | |
70 | /* Cleanup. */ |
71 | unlink (name: lnk); |
72 | support_blob_repeat_free (&repeat); |
73 | free (ptr: lnk); |
74 | free (ptr: dir); |
75 | |
76 | return 0; |
77 | } |
78 | |
79 | #include <support/test-driver.c> |
80 | |