Fix buffer overflow vulnerabilities in calculate_path(). Code used

copied strings from environment variables and argv[0] into
fixed-length buffers without checking their length.

Reported by Stan Bubrouski; advice on fix from John Viega.
This commit is contained in:
Jeremy Hylton 2000-09-27 20:51:17 +00:00
parent 23542dc6eb
commit 6372fe1e40
1 changed files with 41 additions and 16 deletions

View File

@ -98,7 +98,7 @@
*/ */
#ifndef VERSION #ifndef VERSION
#define VERSION "1.5" #define VERSION "2.0"
#endif #endif
#ifndef VPATH #ifndef VPATH
@ -122,7 +122,7 @@
#ifndef LANDMARK #ifndef LANDMARK
#define LANDMARK "os.py" #define LANDMARK "os.py"
#endif #endif
static char prefix[MAXPATHLEN+1]; static char prefix[MAXPATHLEN+1];
static char exec_prefix[MAXPATHLEN+1]; static char exec_prefix[MAXPATHLEN+1];
static char progpath[MAXPATHLEN+1]; static char progpath[MAXPATHLEN+1];
@ -201,6 +201,11 @@ isdir(char *filename) /* Is directory */
} }
/* joinpath requires that any buffer argument passed to it has at
least MAXPATHLEN + 1 bytes allocated. If this requirement is met,
it guarantees that it will never overflow the buffer. If stuff
is too long, buffer will contain a truncated copy of stuff.
*/
static void static void
joinpath(char *buffer, char *stuff) joinpath(char *buffer, char *stuff)
{ {
@ -219,6 +224,10 @@ joinpath(char *buffer, char *stuff)
buffer[n+k] = '\0'; buffer[n+k] = '\0';
} }
/* init_path_from_argv0 requirs that path be allocated at least
MAXPATHLEN + 1 bytes and that argv0_path be no more than MAXPATHLEN
bytes.
*/
static void static void
init_path_from_argv0(char *path, char *argv0_path) init_path_from_argv0(char *path, char *argv0_path)
{ {
@ -237,6 +246,9 @@ init_path_from_argv0(char *path, char *argv0_path)
} }
} }
/* search_for_prefix requires that argv0_path be no more than MAXPATHLEN
bytes long.
*/
static int static int
search_for_prefix(char *argv0_path, char *home) search_for_prefix(char *argv0_path, char *home)
{ {
@ -246,7 +258,7 @@ search_for_prefix(char *argv0_path, char *home)
/* If PYTHONHOME is set, we believe it unconditionally */ /* If PYTHONHOME is set, we believe it unconditionally */
if (home) { if (home) {
char *delim; char *delim;
strcpy(prefix, home); strncpy(prefix, home, MAXPATHLEN);
delim = strchr(prefix, DELIM); delim = strchr(prefix, DELIM);
if (delim) if (delim)
*delim = '\0'; *delim = '\0';
@ -293,7 +305,7 @@ search_for_prefix(char *argv0_path, char *home)
} while (prefix[0]); } while (prefix[0]);
/* Look at configure's PREFIX */ /* Look at configure's PREFIX */
strcpy(prefix, PREFIX); strncpy(prefix, PREFIX, MAXPATHLEN);
joinpath(prefix, lib_python); joinpath(prefix, lib_python);
joinpath(prefix, LANDMARK); joinpath(prefix, LANDMARK);
if (ismodule(prefix)) if (ismodule(prefix))
@ -304,6 +316,9 @@ search_for_prefix(char *argv0_path, char *home)
} }
/* search_for_exec_prefix requires that argv0_path be no more than
MAXPATHLEN bytes long.
*/
static int static int
search_for_exec_prefix(char *argv0_path, char *home) search_for_exec_prefix(char *argv0_path, char *home)
{ {
@ -314,9 +329,9 @@ search_for_exec_prefix(char *argv0_path, char *home)
char *delim; char *delim;
delim = strchr(home, DELIM); delim = strchr(home, DELIM);
if (delim) if (delim)
strcpy(exec_prefix, delim+1); strncpy(exec_prefix, delim+1, MAXPATHLEN);
else else
strcpy(exec_prefix, home); strncpy(exec_prefix, home, MAXPATHLEN);
joinpath(exec_prefix, lib_python); joinpath(exec_prefix, lib_python);
joinpath(exec_prefix, "lib-dynload"); joinpath(exec_prefix, "lib-dynload");
return 1; return 1;
@ -343,7 +358,7 @@ search_for_exec_prefix(char *argv0_path, char *home)
} while (exec_prefix[0]); } while (exec_prefix[0]);
/* Look at configure's EXEC_PREFIX */ /* Look at configure's EXEC_PREFIX */
strcpy(exec_prefix, EXEC_PREFIX); strncpy(exec_prefix, EXEC_PREFIX, MAXPATHLEN);
joinpath(exec_prefix, lib_python); joinpath(exec_prefix, lib_python);
joinpath(exec_prefix, "lib-dynload"); joinpath(exec_prefix, "lib-dynload");
if (isdir(exec_prefix)) if (isdir(exec_prefix))
@ -377,6 +392,7 @@ calculate_path(void)
#endif #endif
#ifdef WITH_NEXT_FRAMEWORK #ifdef WITH_NEXT_FRAMEWORK
/* XXX Need to check this code for buffer overflows */
pythonModule = NSModuleForSymbol(NSLookupAndBindSymbol("_Py_Initialize")); pythonModule = NSModuleForSymbol(NSLookupAndBindSymbol("_Py_Initialize"));
/* Use dylib functions to find out where the framework was loaded from */ /* Use dylib functions to find out where the framework was loaded from */
buf = NSLibraryNameForModule(pythonModule); buf = NSLibraryNameForModule(pythonModule);
@ -393,7 +409,7 @@ calculate_path(void)
#endif #endif
/* Initialize this dynamically for K&R C */ /* Initialize this dynamically for K&R C */
sprintf(lib_python, "lib/python%s", VERSION); sprintf(lib_python, "lib/python%.9s", VERSION);
/* If there is no slash in the argv0 path, then we have to /* If there is no slash in the argv0 path, then we have to
* assume python is on the user's $PATH, since there's no * assume python is on the user's $PATH, since there's no
@ -401,18 +417,22 @@ calculate_path(void)
* $PATH isn't exported, you lose. * $PATH isn't exported, you lose.
*/ */
if (strchr(prog, SEP)) if (strchr(prog, SEP))
strcpy(progpath, prog); strncpy(progpath, prog, MAXPATHLEN);
else if (path) { else if (path) {
int bufspace = MAXPATHLEN;
while (1) { while (1) {
char *delim = strchr(path, DELIM); char *delim = strchr(path, DELIM);
if (delim) { if (delim) {
size_t len = delim - path; size_t len = delim - path;
if (len > bufspace)
len = bufspace;
strncpy(progpath, path, len); strncpy(progpath, path, len);
*(progpath + len) = '\0'; *(progpath + len) = '\0';
bufspace -= len;
} }
else else
strcpy(progpath, path); strncpy(progpath, path, bufspace);
joinpath(progpath, prog); joinpath(progpath, prog);
if (isxfile(progpath)) if (isxfile(progpath))
@ -431,7 +451,7 @@ calculate_path(void)
} }
#endif #endif
strcpy(argv0_path, progpath); strncpy(argv0_path, progpath, MAXPATHLEN);
#if HAVE_READLINK #if HAVE_READLINK
{ {
@ -441,7 +461,9 @@ calculate_path(void)
/* It's not null terminated! */ /* It's not null terminated! */
tmpbuffer[linklen] = '\0'; tmpbuffer[linklen] = '\0';
if (tmpbuffer[0] == SEP) if (tmpbuffer[0] == SEP)
strcpy(argv0_path, tmpbuffer); /* tmpbuffer should never be longer than MAXPATHLEN,
but extra check does not hurt */
strncpy(argv0_path, tmpbuffer, MAXPATHLEN);
else { else {
/* Interpret relative to progpath */ /* Interpret relative to progpath */
reduce(argv0_path); reduce(argv0_path);
@ -453,12 +475,15 @@ calculate_path(void)
#endif /* HAVE_READLINK */ #endif /* HAVE_READLINK */
reduce(argv0_path); reduce(argv0_path);
/* At this point, argv0_path is guaranteed to be less than
MAXPATHLEN bytes long.
*/
if (!(pfound = search_for_prefix(argv0_path, home))) { if (!(pfound = search_for_prefix(argv0_path, home))) {
if (!Py_FrozenFlag) if (!Py_FrozenFlag)
fprintf(stderr, fprintf(stderr,
"Could not find platform independent libraries <prefix>\n"); "Could not find platform independent libraries <prefix>\n");
strcpy(prefix, PREFIX); strncpy(prefix, PREFIX, MAXPATHLEN);
joinpath(prefix, lib_python); joinpath(prefix, lib_python);
} }
else else
@ -468,7 +493,7 @@ calculate_path(void)
if (!Py_FrozenFlag) if (!Py_FrozenFlag)
fprintf(stderr, fprintf(stderr,
"Could not find platform dependent libraries <exec_prefix>\n"); "Could not find platform dependent libraries <exec_prefix>\n");
strcpy(exec_prefix, EXEC_PREFIX); strncpy(exec_prefix, EXEC_PREFIX, MAXPATHLEN);
joinpath(exec_prefix, "lib/lib-dynload"); joinpath(exec_prefix, "lib/lib-dynload");
} }
/* If we found EXEC_PREFIX do *not* reduce it! (Yet.) */ /* If we found EXEC_PREFIX do *not* reduce it! (Yet.) */
@ -565,7 +590,7 @@ calculate_path(void)
reduce(prefix); reduce(prefix);
} }
else else
strcpy(prefix, PREFIX); strncpy(prefix, PREFIX, MAXPATHLEN);
if (efound > 0) { if (efound > 0) {
reduce(exec_prefix); reduce(exec_prefix);
@ -573,7 +598,7 @@ calculate_path(void)
reduce(exec_prefix); reduce(exec_prefix);
} }
else else
strcpy(exec_prefix, EXEC_PREFIX); strncpy(exec_prefix, EXEC_PREFIX, MAXPATHLEN);
} }