[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Innocuous buglet in mkdir(1)



>Submitter-Id:	net
>Originator:	Loic Tortay
>Organization:
>Synopsis:	There is a buglet in mkdir(1), in the "mkpath()" function.
>Severity:	non-critical
>Priority:	low
>Category:	system
>Class:		sw-bug
>Release:	<= 3.9-current
>Environment:
	System      : OpenBSD 3.9
	Architecture: OpenBSD.i386
	Machine     : i386
>Description:

There is an innocuous buglet in the "mkpath()" function of "mkdir(1)".

In the "while" loop, "*slash" is always modified after the call to
"mkdir(2)".

"*slash" should not be modified when the last part of the path is reached
(id est when "done" is "true").
In that case, the terminating '\0' of the path is overwitten with a '/'.

This is not a problem in "mkdir(1)" since the "argv" argument to
"mkpath()" is not reused.

Both NetBSD and FreeBSD have a fix similar to the one proposed.

>How-To-Repeat:

Reuse "mkpath()" in another program than "mkdir(1)" and see the modified
path when you reuse the directory path name after the call to "mkpath()".

>Fix:

Index: mkdir.c
===================================================================
RCS file: /cvs/src/bin/mkdir/mkdir.c,v
retrieving revision 1.17
diff -u -r1.17 mkdir.c
--- mkdir.c	1 Jul 2004 18:25:47 -0000	1.17
+++ mkdir.c	20 Mar 2006 09:54:25 -0000
@@ -166,7 +166,8 @@
 			return (-1);
 		}

-		*slash = '/';
+		if (!done)
+			*slash = '/';
 	}

 	return (0);



Visit your host, monkey.org