Menu

#1935 Unsafe use of dirname()/basename()

GIT version
closed
Marcus Meissner
None
1
2023-10-09
2023-10-06
Anonymous
No

In some examples dirname() and/or basename() are used in a non-secure way on Linux.

$ man 3 dirname
--->8---
       Both dirname() and basename() may modify the contents of path, so it may be desirable to pass a copy when calling one of these functions.

       These  functions  may  return pointers to statically allocated memory which may be overwritten by subsequent calls.  Alternatively, they may return a pointer to some part of path, so that the string
       referred to by path should not be modified or freed until the pointer returned by the function is no longer required.
--->8---

from that same man page an example of how to properly use the functions in question:

EXAMPLE
       The following code snippet demonstrates the use of basename() and dirname():
           char *dirc, *basec, *bname, *dname;
           char *path = "/etc/passwd";

           dirc = strdup(path);
           basec = strdup(path);
           dname = dirname(dirc);
           bname = basename(basec);
           printf("dirname=%s, basename=%s\n", dname, bname);

The affected examples are:

examples/newfolder.c [dirname, basename]
examples/sendfile.c [basename]
examples/connect.c [basename]

Other usages of basename()/dirname() follow the example from the man page. The problem is not a theoretical one, because e.g.

$ examples/mtp-folders
Attempting to connect device(s)
mtp-folders: Successfully connected
Android device detected, assigning default bug flags
Friendly name: (NULL)
Storage: Card Storage
No folders found
OK.

$ examples/mtp-connect --newfolder /f1
libmtp version: 1.1.21

Android device detected, assigning default bug flags
New folder /f1
Creating new folder /f1
Folder creation failed.

$ examples/mtp-connect --newfolder f1
libmtp version: 1.1.21

Android device detected, assigning default bug flags
New folder f1
Creating new folder f1
New folder created with ID: 1

$ examples/mtp-folders
Attempting to connect device(s)
mtp-folders: Successfully connected
Android device detected, assigning default bug flags
Friendly name: (NULL)
Storage: Card Storage
1   f1
OK.

$ examples/mtp-connect --newfolder /f1/f2
libmtp version: 1.1.21

Android device detected, assigning default bug flags
New folder /f1/f2
Creating new folder /f1/f2
New folder created with ID: 2

but the folder actually created is /f1/f1:

$ examples/mtp-folders
Attempting to connect device(s)
mtp-folders: Successfully connected
Android device detected, assigning default bug flags
Friendly name: (NULL)
Storage: Card Storage
1   f1
2     f1
OK.

The attached patch 0001.... fixes the above problems with newfolder. Tested. Patches 0002... and 0003 are not tested.

3 Attachments
0001-Properly-use-dirname-basename-in-newfolder-example.patch
0002-Properly-use-dirname-basename-in-sendfile-example.patch
0003-Properly-use-dirname-basename-in-connect-example.patch

Discussion

  • Marcus Meissner

    Marcus Meissner - 2023-10-09
    • status: open --> closed
    • assigned_to: Marcus Meissner
     

  • Marcus Meissner

    Marcus Meissner - 2023-10-09

    thanks. I have applied all 3 , some small adjustments to fix builds on mac

     

Anonymous
Anonymous

Add attachments
Cancel





MongoDB Logo MongoDB