Return ERANGE from getcwd() if buffer size is 1.

If getcwd() is supplied a buffer size of exactly 1 and a path of "/", it could result in a nul byte being written out of array bounds. POSIX says it should return ERANGE if the path will not fit in the available buffer (with terminating nul). 1 byte cannot fit any possible path with its nul, so immediately return ERANGE in that case. OpenSSH never uses getcwd() with this buffer size, and all current (and even quite old) platforms that we are currently known to work on have a native getcwd() so this code is not used on those anyway. Reported by Qualys, ok djm@
author: Darren Tucker <dtucker@dtucker.net> 2022-07-14 11:22:08 +1000
committer: Darren Tucker <dtucker@dtucker.net> 2022-07-14 11:22:08 +1000
commit: 527cb43fa1b4e55df661feabbac51b8e608b6519 (patch)
tree: 91890888822f8887047c27d4fee41a51bad62eb0 /openbsd-compat
parent: 36857fefd8849c4b0e877cfd9d1eb22f79b76650 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/openbsd-compat/getcwd.c b/openbsd-compat/getcwd.c
index 2d56bae1..a904291a 100644
--- a/openbsd-compat/getcwd.c
+++ b/openbsd-compat/getcwd.c
@@ -70,9 +70,12 @@ getcwd(char *pt, size_t size)
 	 */
 	if (pt) {
 		ptsize = 0;
-		if (!size) {
+		if (size == 0) {
 			errno = EINVAL;
 			return (NULL);
+		} else if (size == 1) {
+			errno = ERANGE;
+			return (NULL);
 		}
 		ept = pt + size;
 	} else {
author	Darren Tucker <dtucker@dtucker.net>	2022-07-14 11:22:08 +1000
committer	Darren Tucker <dtucker@dtucker.net>	2022-07-14 11:22:08 +1000
commit	527cb43fa1b4e55df661feabbac51b8e608b6519 (patch)
tree	91890888822f8887047c27d4fee41a51bad62eb0 /openbsd-compat
parent	36857fefd8849c4b0e877cfd9d1eb22f79b76650 (diff)