libutil: Improve errmsg on readLink size mismatch.

A message like "error: reading symbolic link `...' : Success" really is
quite confusing, so let's not indicate "success" but rather point out
the real issue.

We could also limit the check of this to just check for non-negative
values, but this would introduce a race condition between stat() and
readlink() if the link target changes between those two calls, thus
leading to a buffer overflow vulnerability.

Reported by @Ericson2314 on IRC. Happened due to a possible ntfs-3g bug
where a relative symlink returned the absolute path (st_)size in stat()
while readlink() returned the relative size.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Tested-by: John Ericson <Ericson2314@Yahoo.com>
This commit is contained in:
aszlig 2015-01-02 03:27:39 +01:00 committed by Eelco Dolstra
parent 411b237ee5
commit bbd45ac80f

View file

@ -193,8 +193,12 @@ Path readLink(const Path & path)
if (!S_ISLNK(st.st_mode)) if (!S_ISLNK(st.st_mode))
throw Error(format("%1% is not a symlink") % path); throw Error(format("%1% is not a symlink") % path);
char buf[st.st_size]; char buf[st.st_size];
if (readlink(path.c_str(), buf, st.st_size) != st.st_size) ssize_t rlsize = readlink(path.c_str(), buf, st.st_size);
if (rlsize == -1)
throw SysError(format("reading symbolic link %1%") % path); throw SysError(format("reading symbolic link %1%") % path);
else if (rlsize != st.st_size)
throw Error(format("symbolic link %1% size mismatch %2% != %3%")
% path % rlsize % st.st_size);
return string(buf, st.st_size); return string(buf, st.st_size);
} }