improve uwsgi_expand_path() to sanitize input, avoiding stack corrupt…

…ion and potential security issue
unbit · Feb 6, 2018 · cb4636f · cb4636f
1 parent ac03a53
commit cb4636f
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/core/utils.c b/core/utils.c
@@ -3674,18 +3674,23 @@ void uwsgi_write_pidfile_explicit(char *pidfile_name, pid_t pid) {
 }
 
 char *uwsgi_expand_path(char *dir, int dir_len, char *ptr) {
-	char src[PATH_MAX + 1];
-	memcpy(src, dir, dir_len);
-	src[dir_len] = 0;
+	if (dir_len > PATH_MAX)
+	{
+		uwsgi_log("invalid path size: %d (max %d)\n", dir_len, PATH_MAX);
+		return NULL;
+	}
+	char *src = uwsgi_concat2n(dir, dir_len, "", 0);
 	char *dst = ptr;
 	if (!dst)
 		dst = uwsgi_malloc(PATH_MAX + 1);
 	if (!realpath(src, dst)) {
 		uwsgi_error_realpath(src);
 		if (!ptr)
 			free(dst);
+		free(src);
 		return NULL;
 	}
+	free(src);
 	return dst;
 }