Hi Michael,
I noticed that the example in the readlink.2 man pages does error
checking for a race condition that would cause the value of the symbolic
link to get larger. However, it doesn't handle the opposite case, in
which the value gets shorter. (The NULL terminator is always set at the
old, longer offset.) This could cause a program to operate on
uninitialized data.
Here's a patch against 3.52:
>From 3db3021cc137937c79f95d2aa1c2820b20732c22 Mon Sep 17 00:00:00 2001
From: Chuck Coffing <clc@xxxxxxxxxxxx>
Date: Mon, 15 Jul 2013 10:11:15 -0600
Subject: [PATCH] Fix possible race condition in readlink.2 example
---
man2/readlink.2 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/man2/readlink.2 b/man2/readlink.2
index f4ee2cb..9633149 100644
--- a/man2/readlink.2
+++ b/man2/readlink.2
@@ -204,7 +204,7 @@ main(int argc, char *argv[])
exit(EXIT_FAILURE);
}
- linkname[sb.st_size] = \(aq\\0\(aq;
+ linkname[r] = \(aq\\0\(aq;
printf("\(aq%s\(aq points to \(aq%s\(aq\\n", argv[1], linkname);
--
1.8.3.2
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
