From e35442a6844418a78526ccaffe41face391f737e Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 5 Jun 2026 08:48:43 +0000 Subject: [PATCH] avoid truncation of pathnames headed to lstat() for systems where PATH_MAX is not the actual max; reported by sahvx655-wq via GHPR688 --- usr.bin/ssh/sftp-server.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/usr.bin/ssh/sftp-server.c b/usr.bin/ssh/sftp-server.c index 46c06cafa2e..65df3cdf9c8 100644 --- a/usr.bin/ssh/sftp-server.c +++ b/usr.bin/ssh/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.154 2026/05/31 04:59:51 djm Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.155 2026/06/05 08:48:43 djm Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -1122,7 +1122,7 @@ process_readdir(uint32_t id) send_status(id, SSH2_FX_FAILURE); } else { struct stat st; - char pathname[PATH_MAX]; + char *pathname; Stat *stats; int nstats = 10, count = 0, i; @@ -1132,10 +1132,11 @@ process_readdir(uint32_t id) nstats *= 2; stats = xreallocarray(stats, nstats, sizeof(Stat)); } -/* XXX OVERFLOW ? */ - snprintf(pathname, sizeof pathname, "%s%s%s", path, + xasprintf(&pathname, "%s%s%s", path, strcmp(path, "/") ? "/" : "", dp->d_name); - if (lstat(pathname, &st) == -1) + r = lstat(pathname, &st); + free(pathname); + if (r == -1) continue; stat_to_attrib(&st, &(stats[count].attrib)); stats[count].name = xstrdup(dp->d_name);