Csh has a section of code where it NUL terminates after a strlcpy().
Strlcpy() may read past what readlink() wrote since readlink() does
not append a NUL.
Index: bin/csh/dir.c
===================================================================
RCS file: /cvs/src/bin/csh/dir.c,v
retrieving revision 1.14
diff -u -p -d -r1.14 dir.c
--- bin/csh/dir.c 27 Oct 2009 23:59:21 -0000 1.14
+++ bin/csh/dir.c 11 Jul 2014 06:04:23 -0000
@@ -760,8 +760,8 @@ dcanon(Char *cp, Char *p)
!adrof(STRignore_symlinks) &&
(cc = readlink(short2str(cp), tlink,
sizeof tlink-1)) >= 0) {
+ tlink[cc] = '\0';
(void) Strlcpy(link, str2short(tlink), sizeof
link/sizeof(Char));
- link[cc] = '\0';
/*
* restore the '/'.
Index: bin/pax/ftree.c
===================================================================
RCS file: /cvs/src/bin/pax/ftree.c,v
retrieving revision 1.31
diff -u -p -d -r1.31 ftree.c
--- bin/pax/ftree.c 24 May 2014 18:51:00 -0000 1.31
+++ bin/pax/ftree.c 11 Jul 2014 06:04:23 -0000
@@ -477,7 +477,7 @@ next_file(ARCHD *arcn)
}
/*
* set link name length, watch out readlink does not
- * always NUL terminate the link path
+ * NUL terminate the link path
*/
arcn->ln_name[cnt] = '\0';
arcn->ln_nlen = cnt;
