Synopsis: off-by-one error in realpath(3)
NetBSD versions: 1.6.1, 1.6, 1.5.3, 1.5.2, 1.5.1, 1.5
Thanks to: Jun-ichiro itojun Hagino
Reported in NetBSD Security Advisory: NetBSD-SA2003-011


Index: lib/libc/gen/getcwd.c
===================================================================
RCS file: /cvsroot/src/lib/libc/gen/getcwd.c,v
retrieving revision 1.29
retrieving revision 1.30
diff -c -r1.29 -r1.30
*** getcwd.c	2003/08/03 04:12:01	1.29
--- getcwd.c	2003/08/03 04:14:00	1.30
***************
*** 175,182 ****
  			goto err1;
  		}
  		if (rootd == 0)
! 			(void)strcat(resolved, "/"); /* XXX: strcat is safe */
! 		(void)strcat(resolved, wbuf);	/* XXX: strcat is safe */
  	}
  
  	/* Go back to where we came from. */
--- 175,182 ----
  			goto err1;
  		}
  		if (rootd == 0)
! 			(void)strlcat(resolved, "/", MAXPATHLEN);
! 		(void)strlcat(resolved, wbuf, MAXPATHLEN);
  	}
  
  	/* Go back to where we came from. */