realpath() security issue, potential fix

Michael Pyne pynm0001 at comcast.net
Mon Aug 9 21:42:03 BST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 09 August 2004 15:21, David Faure wrote:
> > Unfortunately,
> > they don't recommend an alternative function to use either, and after
> > quite a bit of Googling, I wasn't able to find a suggested alternative
> > online.  One site seemed to suggest that if the input path was less than
> > MAX_PATH characters long that realpath was safe, but that seemed to be
> > against the general consensus.
>
> Common sense would indicate that it's the _output_ path that has to be
> allocated to MAX_PATH characters....

Every source of information on realpath() indicated that output had to at 
least be MAX_PATH long, but apparently some implementations of realpath() 
will also overflow if input length is > MAX_PATH.  And the problem is that 
you can't trust MAX_PATH sometimes, since it's simply a #define.

Say you upgrade your kernel to one with a larger MAX_PATH, now you've got a 
buffer overflow again until you recompile.  There are POSIX functions to get 
MAX_PATH at runtime, but apparently they're allowed to return "no set 
length", which is next to useless. :-(

> > I know of at least one KDE application that uses realpath(3)
>
> Actually they all do, via KStandardDirs.

Oh, I didn't know that.  Perhaps that makes it that much more useful.

> Anyway.... doesn't QDir::canonicalPath() do this already?

QDir::canonicalPath() does do this, but from reading the source, they call 
realpath() also, at least when I checked while writing this replacement.

> > P.S. I tried attaching the file last time I e-mailed -core-devel, but
> > KMail turned the whole message into an attachment an the message got
> > dropped.
>
> You put the mail in the drafts folder temporarily, right? I had that bug
> too, but I couldn't reproduce it :(

Actually I didn't, but I couldn't reproduce it either, so I'm not sure what's 
going on.  I don't know if you've already read my other e-mail, but I've 
revised the patch.  I also just now changed the license, it's pretty silly to 
propose GPL'ed code for inclusion in kdelibs.  The license is now LGPL.

It's still up at 
http://grammarian.homelinux.net/~kde-cvs/realpath-replacement-2.cpp

Regards,
 - Michael Pyne
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBF+GfqjQYp5Omm0oRAoXdAJ9i0vZ0wyix1zlujHS3630f+HA1bACg5MTO
Z9oHUbIgIV3n1EeMPBpbOBo=
=2R97
-----END PGP SIGNATURE-----




More information about the kde-core-devel mailing list