https://bugs.ruby-lang.org/https://bugs.ruby-lang.org/favicon.ico?17113305112013-11-26T16:30:41ZRuby Issue Tracking SystemRuby master - Bug #9157: rb_readlink() calls rb_str_modify_expand() too earlyhttps://bugs.ruby-lang.org/issues/9157?journal_id=431662013-11-26T16:30:41Znobu (Nobuyoshi Nakada)nobu@ruby-lang.org
<ul><li><strong>Status</strong> changed from <i>Open</i> to <i>Closed</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>This issue was solved with changeset r43853.<br>
Maciek, thank you for reporting this issue.<br>
Your contribution to Ruby is greatly appreciated.<br>
May Ruby be with you.</p>
<hr>
<p>file.c: fix buffer overflow</p>
<ul>
<li>file.c (rb_readlink): fix buffer overflow on a long symlink. since<br>
rb_str_modify_expand() expands from its length but not its capacity,<br>
need to set the length properly for each expansion.<br>
<a href="/issues/9157">[ruby-core:58592]</a> [Bug <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: rb_readlink() calls rb_str_modify_expand() too early (Closed)" href="https://bugs.ruby-lang.org/issues/9157">#9157</a>]</li>
</ul> Ruby master - Bug #9157: rb_readlink() calls rb_str_modify_expand() too earlyhttps://bugs.ruby-lang.org/issues/9157?journal_id=431672013-11-26T16:32:23Znobu (Nobuyoshi Nakada)nobu@ruby-lang.org
<ul><li><strong>Backport</strong> changed from <i>1.9.3: UNKNOWN, 2.0.0: UNKNOWN</i> to <i>1.9.3: DONTNEED, 2.0.0: REQUIRED</i></li></ul> Ruby master - Bug #9157: rb_readlink() calls rb_str_modify_expand() too earlyhttps://bugs.ruby-lang.org/issues/9157?journal_id=431792013-11-27T06:03:45Znowacki (Maciek Nowacki)nowacki@ualberta.ca
<ul></ul><p>nobu (Nobuyoshi Nakada) wrote:</p>
<blockquote>
<p>This issue was solved with changeset r43853.</p>
</blockquote>
<p>Ah, I didn't realize that rb_str_modify_expand() takes a difference as its argument, not the total buffer length. This works because the function doubles the buffer size, which is the same as adding as much buffer capacity as is already present (size before *=2). My proposed fix simply made the problem less obvious. Interesting.</p> Ruby master - Bug #9157: rb_readlink() calls rb_str_modify_expand() too earlyhttps://bugs.ruby-lang.org/issues/9157?journal_id=432142013-11-28T02:09:54Zvpereira (Victor Pereira)vpereira@suse.com
<ul></ul><p>does it deserves a CVE?</p> Ruby master - Bug #9157: rb_readlink() calls rb_str_modify_expand() too earlyhttps://bugs.ruby-lang.org/issues/9157?journal_id=432712013-11-30T08:57:25Znobu (Nobuyoshi Nakada)nobu@ruby-lang.org
<ul></ul><p>No, just a usual bug which aborts by local filesystem access.</p> Ruby master - Bug #9157: rb_readlink() calls rb_str_modify_expand() too earlyhttps://bugs.ruby-lang.org/issues/9157?journal_id=433632013-12-02T23:07:52Znagachika (Tomoyuki Chikanaga)nagachika00@gmail.com
<ul><li><strong>Backport</strong> changed from <i>1.9.3: DONTNEED, 2.0.0: REQUIRED</i> to <i>1.9.3: DONTNEED, 2.0.0: DONE</i></li></ul><p>r43853 was backported to ruby_2_0_0 branch at r43959.</p>