diff options
| author | Bernhard Übelacker <bernhardu@mailbox.org> | 2024-11-16 18:09:50 +0100 |
|---|---|---|
| committer | Corinna Vinschen <corinna@vinschen.de> | 2024-11-19 10:09:51 +0100 |
| commit | dbb8069df56cb68ea1167b3bc0ceb66fa6c35d3f (patch) | |
| tree | 557d0ccf62978efd0e2f5ad8a17a5e099f12f25e /winsup/cygwin | |
| parent | 9da0ac405163466bafc404e2335ae7f23309c311 (diff) | |
| download | newlib-dbb8069df56cb68ea1167b3bc0ceb66fa6c35d3f.zip newlib-dbb8069df56cb68ea1167b3bc0ceb66fa6c35d3f.tar.gz newlib-dbb8069df56cb68ea1167b3bc0ceb66fa6c35d3f.tar.bz2 | |
Cygwin: check_dir_not_empty: Avoid leaving the allocated buffer.
The pointer pfni gets allocated the buffer at the begin,
and is used in the NtQueryDirectoryFile call before the loops.
In the loop the pointer pfni is also used as iterator.
Therefore it holds no longer the initial buffer at the call
to NtQueryDirectoryFile in the while conditition at the bottom.
Fixes: 28fa2a72f8106 ("* syscalls.cc (check_dir_not_empty): Check surplus directory entries")
Co-authored-by: Corinna Vinschen <corinna@vinschen.de>
Signed-off-by: Bernhard Übelacker <bernhardu@mailbox.org>
Diffstat (limited to 'winsup/cygwin')
| -rw-r--r-- | winsup/cygwin/release/3.5.5 | 3 | ||||
| -rw-r--r-- | winsup/cygwin/syscalls.cc | 10 |
2 files changed, 9 insertions, 4 deletions
diff --git a/winsup/cygwin/release/3.5.5 b/winsup/cygwin/release/3.5.5 index 2ca4572..3088f86 100644 --- a/winsup/cygwin/release/3.5.5 +++ b/winsup/cygwin/release/3.5.5 @@ -33,3 +33,6 @@ Fixes: - Fix type of pthread_sigqueue() first parameter to match Linux. Addresses: https://cygwin.com/pipermail/cygwin/2024-September/256439.html + +- Fix potential stack corruption in rmdir() in a border case. + Addresses: https://cygwin.com/pipermail/cygwin/2024-November/256774.html diff --git a/winsup/cygwin/syscalls.cc b/winsup/cygwin/syscalls.cc index df7d3a1..433739c 100644 --- a/winsup/cygwin/syscalls.cc +++ b/winsup/cygwin/syscalls.cc @@ -617,9 +617,10 @@ check_dir_not_empty (HANDLE dir, path_conv &pc) IO_STATUS_BLOCK io; const ULONG bufsiz = 3 * sizeof (FILE_NAMES_INFORMATION) + 3 * NAME_MAX * sizeof (WCHAR); - PFILE_NAMES_INFORMATION pfni = (PFILE_NAMES_INFORMATION) - alloca (bufsiz); - NTSTATUS status = NtQueryDirectoryFile (dir, NULL, NULL, 0, &io, pfni, + PFILE_NAMES_INFORMATION pfni_buf = (PFILE_NAMES_INFORMATION) + alloca (bufsiz); + PFILE_NAMES_INFORMATION pfni; + NTSTATUS status = NtQueryDirectoryFile (dir, NULL, NULL, 0, &io, pfni_buf, bufsiz, FileNamesInformation, FALSE, NULL, TRUE); if (!NT_SUCCESS (status)) @@ -631,6 +632,7 @@ check_dir_not_empty (HANDLE dir, path_conv &pc) int cnt = 1; do { + pfni = pfni_buf; while (pfni->NextEntryOffset) { if (++cnt > 2) @@ -677,7 +679,7 @@ check_dir_not_empty (HANDLE dir, path_conv &pc) pfni = (PFILE_NAMES_INFORMATION) ((caddr_t) pfni + pfni->NextEntryOffset); } } - while (NT_SUCCESS (NtQueryDirectoryFile (dir, NULL, NULL, 0, &io, pfni, + while (NT_SUCCESS (NtQueryDirectoryFile (dir, NULL, NULL, 0, &io, pfni_buf, bufsiz, FileNamesInformation, FALSE, NULL, FALSE))); return STATUS_SUCCESS; |