Fix writes past the allocated array bounds in execvpe (BZ#20847)
[glibc.git] / posix / execvpe.c
blob7cdb06a6112e365ed3f6967e56e29f5bd1ce51fc
1 /* Copyright (C) 1991-2016 Free Software Foundation, Inc.
2 This file is part of the GNU C Library.
4 The GNU C Library is free software; you can redistribute it and/or
5 modify it under the terms of the GNU Lesser General Public
6 License as published by the Free Software Foundation; either
7 version 2.1 of the License, or (at your option) any later version.
9 The GNU C Library is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 Lesser General Public License for more details.
14 You should have received a copy of the GNU Lesser General Public
15 License along with the GNU C Library; if not, see
16 <http://www.gnu.org/licenses/>. */
18 #include <unistd.h>
19 #include <stdarg.h>
20 #include <stdbool.h>
21 #include <stdlib.h>
22 #include <string.h>
23 #include <errno.h>
24 #include <paths.h>
25 #include <confstr.h>
26 #include <sys/param.h>
28 #ifndef PATH_MAX
29 # ifdef MAXPATHLEN
30 # define PATH_MAX MAXPATHLEN
31 # else
32 # define PATH_MAX 1024
33 # endif
34 #endif
36 /* The file is accessible but it is not an executable file. Invoke
37 the shell to interpret it as a script. */
38 static void
39 maybe_script_execute (const char *file, char *const argv[], char *const envp[])
41 ptrdiff_t argc = 0;
42 while (argv[argc++] != NULL)
44 if (argc == INT_MAX - 1)
46 errno = E2BIG;
47 return;
51 /* Construct an argument list for the shell. It will contain at minimum 3
52 arguments (current shell, script, and an ending NULL. */
53 char *new_argv[argc + 1];
54 new_argv[0] = (char *) _PATH_BSHELL;
55 new_argv[1] = (char *) file;
56 if (argc > 1)
57 memcpy (new_argv + 2, argv + 1, (argc - 1) * sizeof(char *));
58 else
59 new_argv[2] = NULL;
61 /* Execute the shell. */
62 __execve (new_argv[0], new_argv, envp);
66 /* Execute FILE, searching in the `PATH' environment variable if it contains
67 no slashes, with arguments ARGV and environment from ENVP. */
68 int
69 __execvpe (const char *file, char *const argv[], char *const envp[])
71 /* We check the simple case first. */
72 if (*file == '\0')
74 __set_errno (ENOENT);
75 return -1;
78 /* Don't search when it contains a slash. */
79 if (strchr (file, '/') != NULL)
81 __execve (file, argv, envp);
83 if (errno == ENOEXEC)
84 maybe_script_execute (file, argv, envp);
86 return -1;
89 const char *path = getenv ("PATH");
90 if (!path)
91 path = CS_PATH;
92 /* Although GLIBC does not enforce NAME_MAX, we set it as the maximum
93 size to avoid unbounded stack allocation. Same applies for
94 PATH_MAX. */
95 size_t file_len = __strnlen (file, NAME_MAX) + 1;
96 size_t path_len = __strnlen (path, PATH_MAX - 1) + 1;
98 /* NAME_MAX does not include the terminating null character. */
99 if (((file_len-1) > NAME_MAX)
100 || !__libc_alloca_cutoff (path_len + file_len + 1))
102 errno = ENAMETOOLONG;
103 return -1;
106 const char *subp;
107 bool got_eacces = false;
108 /* The resulting string maximum size would be potentially a entry
109 in PATH plus '/' (path_len + 1) and then the the resulting file name
110 plus '\0' (file_len since it already accounts for the '\0'). */
111 char buffer[path_len + file_len + 1];
112 for (const char *p = path; ; p = subp)
114 subp = __strchrnul (p, ':');
116 /* PATH is larger than PATH_MAX and thus potentially larger than
117 the stack allocation. */
118 if (subp - p >= path_len)
120 /* If there is only one path, bail out. */
121 if (*subp == '\0')
122 break;
123 /* Otherwise skip to next one. */
124 continue;
127 /* Use the current path entry, plus a '/' if nonempty, plus the file to
128 execute. */
129 char *pend = mempcpy (buffer, p, subp - p);
130 *pend = '/';
131 memcpy (pend + (p < subp), file, file_len);
133 __execve (buffer, argv, envp);
135 if (errno == ENOEXEC)
136 /* This has O(P*C) behavior, where P is the length of the path and C
137 is the argument count. A better strategy would be allocate the
138 substitute argv and reuse it each time through the loop (so it
139 behaves as O(P+C) instead. */
140 maybe_script_execute (buffer, argv, envp);
142 switch (errno)
144 case EACCES:
145 /* Record that we got a 'Permission denied' error. If we end
146 up finding no executable we can use, we want to diagnose
147 that we did find one but were denied access. */
148 got_eacces = true;
149 case ENOENT:
150 case ESTALE:
151 case ENOTDIR:
152 /* Those errors indicate the file is missing or not executable
153 by us, in which case we want to just try the next path
154 directory. */
155 case ENODEV:
156 case ETIMEDOUT:
157 /* Some strange filesystems like AFS return even
158 stranger error numbers. They cannot reasonably mean
159 anything else so ignore those, too. */
160 break;
162 default:
163 /* Some other error means we found an executable file, but
164 something went wrong executing it; return the error to our
165 caller. */
166 return -1;
169 if (*subp++ == '\0')
170 break;
173 /* We tried every element and none of them worked. */
174 if (got_eacces)
175 /* At least one failure was due to permissions, so report that
176 error. */
177 __set_errno (EACCES);
179 return -1;
182 weak_alias (__execvpe, execvpe)