1/* Bug 22786: test for buffer overflow in realpath.
2 Copyright (C) 2018-2022 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
4
5 The GNU C Library is free software; you can redistribute it and/or
6 modify it under the terms of the GNU Lesser General Public
7 License as published by the Free Software Foundation; either
8 version 2.1 of the License, or (at your option) any later version.
9
10 The GNU C Library is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Lesser General Public License for more details.
14
15 You should have received a copy of the GNU Lesser General Public
16 License along with the GNU C Library; if not, see
17 <https://www.gnu.org/licenses/>. */
18
19/* This file must be run from within a directory called "stdlib". */
20
21#include <errno.h>
22#include <limits.h>
23#include <stdio.h>
24#include <stdlib.h>
25#include <string.h>
26#include <unistd.h>
27#include <sys/stat.h>
28#include <sys/types.h>
29#include <support/blob_repeat.h>
30#include <support/check.h>
31#include <support/support.h>
32#include <support/temp_file.h>
33#include <support/test-driver.h>
34#include <libc-diag.h>
35
36static int
37do_test (void)
38{
39 char *dir = support_create_temp_directory (base: "bz22786.");
40 char *lnk = xasprintf (format: "%s/symlink", dir);
41 const size_t path_len = (size_t) INT_MAX + strlen (lnk) + 1;
42
43 struct support_blob_repeat repeat
44 = support_blob_repeat_allocate (element: "a", element_size: 1, count: path_len);
45 char *path = repeat.start;
46 if (path == NULL)
47 {
48 printf (format: "Repeated allocation (%zu bytes): %m\n", path_len);
49 /* On 31-bit s390 the malloc will always fail as we do not have
50 so much memory, and we want to mark the test unsupported.
51 Likewise on systems with little physical memory the test will
52 fail and should be unsupported. */
53 return EXIT_UNSUPPORTED;
54 }
55
56 TEST_VERIFY_EXIT (symlink (".", lnk) == 0);
57
58 /* Construct very long path = "/tmp/bz22786.XXXX/symlink/aaaa....." */
59 char *p = mempcpy (path, lnk, strlen (lnk));
60 *(p++) = '/';
61 p[path_len - (p - path) - 1] = '\0';
62
63 /* This call crashes before the fix for bz22786 on 32-bit platforms. */
64 p = realpath (name: path, NULL);
65 TEST_VERIFY (p == NULL);
66 /* For 64-bit platforms readlink return ENAMETOOLONG, while for 32-bit
67 realpath will try to allocate a buffer larger than PTRDIFF_MAX. */
68 TEST_VERIFY (errno == ENOMEM || errno == ENAMETOOLONG);
69
70 /* Cleanup. */
71 unlink (name: lnk);
72 support_blob_repeat_free (&repeat);
73 free (ptr: lnk);
74 free (ptr: dir);
75
76 return 0;
77}
78
79#include <support/test-driver.c>
80

source code of glibc/stdlib/test-bz22786.c