Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8173828

realpath is unsafe

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P4
    • Resolution: Fixed
    • Affects Version/s: 10
    • Fix Version/s: 10
    • Component/s: hotspot
    • Labels:
      None
    • Subcomponent:
    • Resolved In Build:
      b21

      Description

      realpath(3) is unsafe when used in the traditional way. It takes a pointer to a user provided buffer, but no buffer length; instead, it requires the buffer to be PATH_MAX + 1.

      This is unsafe, because there is no safe way to pre-determine the maximum length of the file name. If PATH_MAX is determined using pathconf(3), this information may be out of date the moment realpath(3) is called. Even worse, if PATH_MAX is a compile time constant, this constant may have nothing to do with the real resolved file name length the jvm encounters at runtime, which is a property of the mounted file system(s).

      To address this, since POSIX 1.2008 realpath(3) allows the user to hand in NULL instead of a buffer, in which case the buffer is dynamically allocated by realpath(3) itself. Caller must call free() to free it.

      Most of our platforms save for oldish AIX systems should support POSIX 1.2008, so it makes sense to use this behaviour. Where it cannot be used, at least the buffer should be checked for overwrites after realpath() returns.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              stuefe Thomas Stuefe
              Reporter:
              stuefe Thomas Stuefe
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: