ABSTRACT

The buffer passed to realpath() should hold at least PATH_MAX bytes.

EXPLANATION

The C standard library function realpath() takes two arguments. The first argument specifies a filename to be converted to canonical form. The second argument specifies an output buffer. Regardless of the length of the canonicalized file name, realpath() will not write more than PATH_MAX bytes to the output buffer.

Some programmers incorrectly assume that, by allocating a buffer of size PATH_MAX, there will always be enough room in the buffer to hold any file name that might be found on the system. However, PATH_MAX only bounds the longest possible relative path that can be passed to the kernel in a single call. On most Unix and Linux systems, there is no easily-determined maximum length for a path.

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A5 Buffer Overflow

[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3590.1 CAT I

[3] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 249, CWE ID 560

[4] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.2

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.5

[7] The GNU C Library Reference Manual The GNU Software Foundation