Skip to content

fix stack overflow in ExpandLinks path component parsing#6209

Open
aizu-m wants to merge 1 commit into
cfengine:masterfrom
aizu-m:expandlinks-component-overflow
Open

fix stack overflow in ExpandLinks path component parsing#6209
aizu-m wants to merge 1 commit into
cfengine:masterfrom
aizu-m:expandlinks-component-overflow

Conversation

@aizu-m

@aizu-m aizu-m commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Found this reading the symlink resolver.

  1. ExpandLinks() splits the path one component at a time with sscanf(sp, "%[^/]", node) into node[CF_MAXLINKSIZE] (256), no field width.

  2. the parse runs before the lstat(), and the recursive call hands readlink() targets (up to CF_BUFSIZE-1) back in as from, so a symlink target that is a single long slash-free component overruns the stack.

     ERROR: AddressSanitizer: stack-buffer-overflow
         WRITE of size 1023
         #1 sscanf
         #2 ExpandLinks files_links.c:710
    

Measured the component with strcspn() first and bail the same way the rest of the function already does on an over-long path. Regression test added under tests/unit.

Signed-off-by: Aizal Khan <aizumusheer2@gmail.com>
@cf-bottom

Copy link
Copy Markdown

Thanks for submitting a pull request! Maybe @larsewi can review this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants