...
This modification incorrectly assumes that the symbolic link cannot be longer than the value of SYMLINK_MAX returned by pathconf(). However, the value returned by pathconf() is out - of - date by the time readlink() is called, and so the off-by-one buffer overflow risk is still present because in between the two calls, the location of /usr/bin/perl can change to a file system with a larger SYMLINK_MAX value. Also, if SYMLINK_MAX is indeterminate (that is, if pathconf() returned -1 without setting errno), the code uses an arbitrary large buffer size (1000010,000) that it hopes will be sufficient, but there is a small chance that readlink() can return exactly this size.
An additional issue is that readlink() can return -1 if it fails, causing an off-by-one underflow.
Compliant Solution
This example compliant solution ensures there is will be no overflow by only reading in sizeof(buf)-1 characters. It also properly checks to see if an error has occurred.
...
Failing to properly terminate the result of readlink() can result in abnormal program termination and buffer-overflow style attacksvulnerabilities.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
POS30-C | high | probable | medium | P12 | L1 |
...