ptsname_r: don't leak unitialized memory
Commit Message
If the fd refers to a terminal device, but not a pty master, the
TIOCGPTN ioctl returns with ENOTTY. This error is not caught, and the
possibly undefined buffer passed to ptsname_r is sent directly to the
stat64 syscall.
Fix this by using a fallback to the old method only if the TIOCGPTN
ioctl fails with EINVAL. This also fix the return value in that specific
case (it return ENOENT without this patch).
Note: this is Debian bug#741482, reported by Jakub Wilk <jwilk@debian.org>
---
ChangeLog | 6 ++++++
sysdeps/unix/sysv/linux/ptsname.c | 4 +++-
2 files changed, 9 insertions(+), 1 deletion(-)
Comments
Seems like something for which you could write a test case.
On Mon, May 05, 2014 at 12:37:21PM -0700, Roland McGrath wrote:
> Seems like something for which you could write a test case.
Indeed, we can at least test that the error value is the correct one.
Catching the use of uninitialized data in xstat64 looks more difficult.
I'll work on that and provide a new version of this patch including a
test.
@@ -1,3 +1,9 @@
+2014-05-05 Aurelien Jarno <aurelien@aurel32.net>
+
+ * sysdeps/unix/sysv/linux/ptsname.c (__ptsname_internal): return
+ errno if the TIOCGPTN ioctl fails with an error different than
+ EINVAL.
+
2014-05-04 Adam Conrad <adconrad@0c3.net>
* locale/iso-4217.def: Reintroduce XDR currency.
@@ -105,7 +105,9 @@ __ptsname_internal (int fd, char *buf, size_t buflen, struct stat64 *stp)
memcpy (__stpcpy (buf, devpts), p, &numbuf[sizeof (numbuf)] - p);
}
- else if (errno == EINVAL)
+ else if (errno != EINVAL)
+ return errno;
+ else
#endif
{
char *p;