Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2226448/?format=api
{ "id": 2226448, "url": "http://patchwork.ozlabs.org/api/patches/2226448/?format=api", "web_url": "http://patchwork.ozlabs.org/project/glibc/patch/20260422123538.889818-1-adhemerval.zanella@linaro.org/", "project": { "id": 41, "url": "http://patchwork.ozlabs.org/api/projects/41/?format=api", "name": "GNU C Library", "link_name": "glibc", "list_id": "libc-alpha.sourceware.org", "list_email": "libc-alpha@sourceware.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260422123538.889818-1-adhemerval.zanella@linaro.org>", "list_archive_url": null, "date": "2026-04-22T12:35:30", "name": "posix: Fix stack overflow in wordexp tilde expansion (BZ 34091, CVE-2026-6791)", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "e95e5612eae6fa7b421b70c1dfe91dc53df21383", "submitter": { "id": 66065, "url": "http://patchwork.ozlabs.org/api/people/66065/?format=api", "name": "Adhemerval Zanella Netto", "email": "adhemerval.zanella@linaro.org" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/glibc/patch/20260422123538.889818-1-adhemerval.zanella@linaro.org/mbox/", "series": [ { "id": 501006, "url": "http://patchwork.ozlabs.org/api/series/501006/?format=api", "web_url": "http://patchwork.ozlabs.org/project/glibc/list/?series=501006", "date": "2026-04-22T12:35:30", "name": "posix: Fix stack overflow in wordexp tilde expansion (BZ 34091, CVE-2026-6791)", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/501006/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2226448/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2226448/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "libc-alpha@sourceware.org" ], "Delivered-To": [ "patchwork-incoming@legolas.ozlabs.org", "libc-alpha@sourceware.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256\n header.s=google header.b=Thl0gxJI;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org\n (client-ip=2620:52:6:3111::32; helo=vm01.sourceware.org;\n envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org;\n receiver=patchwork.ozlabs.org)", "sourceware.org;\n\tdkim=pass (2048-bit key,\n unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256\n header.s=google header.b=Thl0gxJI", "sourceware.org;\n dmarc=pass (p=none dis=none) header.from=linaro.org", "sourceware.org; spf=pass smtp.mailfrom=linaro.org", "server2.sourceware.org;\n arc=none smtp.remote-ip=2607:f8b0:4864:20::92f" ], "Received": [ "from vm01.sourceware.org (vm01.sourceware.org\n [IPv6:2620:52:6:3111::32])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0zGw2jP5z1yD5\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 22 Apr 2026 22:36:08 +1000 (AEST)", "from vm01.sourceware.org (localhost [127.0.0.1])\n\tby sourceware.org (Postfix) with ESMTP id EB2424BBC086\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 22 Apr 2026 12:36:05 +0000 (GMT)", "from mail-ua1-x92f.google.com (mail-ua1-x92f.google.com\n [IPv6:2607:f8b0:4864:20::92f])\n by sourceware.org (Postfix) with ESMTPS id 1103B4B9209D\n for <libc-alpha@sourceware.org>; Wed, 22 Apr 2026 12:35:44 +0000 (GMT)", "by mail-ua1-x92f.google.com with SMTP id\n a1e0cc1a2514c-94de68feaf4so2624281241.0\n for <libc-alpha@sourceware.org>; Wed, 22 Apr 2026 05:35:44 -0700 (PDT)", "from mandiga.. ([2804:1b3:a7c3:d5d0:3e95:69d2:d83e:ba1f])\n by smtp.gmail.com with ESMTPSA id\n ada2fe7eead31-61745c9e51bsm8419090137.4.2026.04.22.05.35.41\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 22 Apr 2026 05:35:42 -0700 (PDT)" ], "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 sourceware.org EB2424BBC086", "OpenDKIM Filter v2.11.0 sourceware.org 1103B4B9209D" ], "DMARC-Filter": "OpenDMARC Filter v1.4.2 sourceware.org 1103B4B9209D", "ARC-Filter": "OpenARC Filter v1.0.0 sourceware.org 1103B4B9209D", "ARC-Seal": "i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1776861344; cv=none;\n b=ZAtqTLSGvMFB9CLsOR8STmqkRWjMylDSE1/CfrGUapFwFCu8kBUxtBPY3ZDktyQT6PmAbQ3rjW5OG8O5Jix7D8luR1AZ6mnxqZj/CL+t6l6pofaEqOpfOmXoeKcMU8ehaHICXL+FBDnKKC5rJBaTXDBHC1Pku1x2zhHYItkWvPE=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=sourceware.org; s=key;\n t=1776861344; c=relaxed/simple;\n bh=4vrqnlEtaTTruBWFQ/qeYqI0ttyzdkUJnfmQymYPidA=;\n h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version;\n b=ZjsX/LJwtPDpzZxFQ9hw698205R/nIHJPvzItO8nvDhK0u2Hk/x8VuogjN6z12adg8/ICO4hAv2LKdX/LCVHa8zu5BOjuRjpuCqKC31563lCtzBs4kHiPGEEOEPLOtG4/bdcWAmqo9DLPhI0c+KHgOLE9a/o6/8aaXXgf8zIhVo=", "ARC-Authentication-Results": "i=1; server2.sourceware.org", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=linaro.org; s=google; t=1776861343; x=1777466143; darn=sourceware.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=d/GhnB8EuCP8E61zLVRdcopa88nu4WhX0gnJfGnrwsk=;\n b=Thl0gxJISBKeDvKExD5mpuVkpMp/ES27ygcEIXBzIILVesjnVJCizrKjYt08k2KHMM\n QJpP8Q0IODUafJOLPzbgcue0lParVITSSvMtKiuGTJtwyBXrKC1I3vyeWyZJjuHsHOFy\n yhxsJwrM2t1I/9yUBhOWGTeox6nOsIbtPyC2z93jzwl1DnFpmQuI5EdLz78liBjBlFPg\n P08KmuROh/TpexV+WhFso66wvk/kbmU6LceY7D/c+7gWfi2WfyMReDmN/4yKTBfQsFir\n GkRzqBRmguUU4XR2GeDX+k6G23v9zVATZsP+KCZI+9NFX7euEhx1biLoyNqrZGsXZ8yR\n PK7A==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776861343; x=1777466143;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=d/GhnB8EuCP8E61zLVRdcopa88nu4WhX0gnJfGnrwsk=;\n b=B49LPN2+kubqpIpjHoJvgPbbloEck+E8zC1BkynWPPFFmCjwQ0wBld6k0eSk1QbvoT\n Yhv9XKq2SA464ec4vuskBwo8mOCNPJtPSX5vUNuagTv5sgePcokSBNhwe5H19uS2gFV/\n lX1EoFdzRNufmC6xh1PnmKBsW8kA64Q486XiuPf5CLiH+u3QsUU0EfLbSZ9WIF1B+3dK\n +NUj0sKnRaFdEXRi2yUpVyMh8hTJ94yy8ZOYiBNDqwVd9Cnkl81l+YDXZyWu5QLXJvuG\n p+Q5cF4RnffyXw+oZQbyiQQ0wp5F19LeLF6c7ISi93l0R89pX/ZV9aEos3oWnYGAwwXi\n QLtg==", "X-Gm-Message-State": "AOJu0YxN3fp9sliFAVmvYnh3vCh72CPHbw890sSdXY/H/MCaaLaUmd6t\n Esl+SLDNb2KWROrPI4EfWekFpLt+LqMehvJwZsT/YXvnyjuL5AgKB8wSbO9qK5exVpk7FpX0K2S\n 4sUen", "X-Gm-Gg": "AeBDieuzhL7qbJVVbM1bjYjx3bo9+YGChZi/Me0EYNhv3+0zXDLmj61RXdtavB02DZM\n HP3/r5fxB2zIAz6wRfrR6bJD5WJJ5XKYDxmzwayG+VHqeWPKDqFt/hHP0sYvdDzfbNYFwVo1cOs\n jLGnJTYDGBQ+29DcPqDqw3hTUDhBvpzyCKBZ8e5K70x3vKVEDtpl8o6oPo+Yb2r+H6YmCs2PFsy\n uDAnE3fa8pIJ4nDoCOB/4UvSZ1jNaMQgqly4wtYz/f/jioxm1p84lxNtK4dx45/YI58tQLuOqp/\n yVYn2PBhYmIAswMsxPB/3JlQepkMY/zIKvrC+AytzumvS3JYaQVFwtTKQ1rb9USsTPZFn5DpMU4\n hkK9prwrlBRixlM9ZkYeqyTPhqsbutJNdQc2vxN7mLtW/lW2DwFE5+4dnwH5JmBfTXQECQLYUso\n 5lSCsRmBFDXNSd/fmm7LmTRDyMi2kx42ayRhfoI+cSwlO0dM1X6nPEuC5J", "X-Received": "by 2002:a05:6102:512c:b0:605:6615:d9dd with SMTP id\n ada2fe7eead31-616f473aaf1mr12248971137.3.1776861342885;\n Wed, 22 Apr 2026 05:35:42 -0700 (PDT)", "From": "Adhemerval Zanella <adhemerval.zanella@linaro.org>", "To": "libc-alpha@sourceware.org", "Cc": "Siddhesh Poyarekar <siddhesh@gotplt.org>,\n Carlos O'Donell <carlos@redhat.com>", "Subject": "[PATCH] posix: Fix stack overflow in wordexp tilde expansion (BZ\n 34091, CVE-2026-6791)", "Date": "Wed, 22 Apr 2026 09:35:30 -0300", "Message-ID": "<20260422123538.889818-1-adhemerval.zanella@linaro.org>", "X-Mailer": "git-send-email 2.43.0", "MIME-Version": "1.0", "Content-Type": "text/plain; charset=UTF-8", "Content-Transfer-Encoding": "8bit", "X-BeenThere": "libc-alpha@sourceware.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "Libc-alpha mailing list <libc-alpha.sourceware.org>", "List-Unsubscribe": "<https://sourceware.org/mailman/options/libc-alpha>,\n <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>", "List-Archive": "<https://sourceware.org/pipermail/libc-alpha/>", "List-Post": "<mailto:libc-alpha@sourceware.org>", "List-Help": "<mailto:libc-alpha-request@sourceware.org?subject=help>", "List-Subscribe": "<https://sourceware.org/mailman/listinfo/libc-alpha>,\n <mailto:libc-alpha-request@sourceware.org?subject=subscribe>", "Errors-To": "libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org" }, "content": "The parse_tilde function previously used strndupa to allocate memory\nfor the parsed username on the stack, and since the input is\nuser-defined, this can lead to a stack overflow.\n\nThis patch fixes the issue by replacing strndupa with scratch_buffer,\nby reusing the buffer used in the __getpwnam_r call.\n\nThe new “tst-wordexp-tilde.c” test is a test-container to avoid using\nsystem-defined NSS modules.\n\nChecked on x86_64-linux-gnu and i686-linux-gnu.\n---\n posix/Makefile | 1 +\n posix/tst-wordexp-tilde.c | 244 ++++++++++++++++++\n posix/tst-wordexp-tilde.root/etc/group | 1 +\n .../tst-wordexp-tilde.root/etc/nsswitch.conf | 3 +\n posix/tst-wordexp-tilde.root/etc/passwd | 1 +\n posix/wordexp.c | 28 +-\n 6 files changed, 270 insertions(+), 8 deletions(-)\n create mode 100644 posix/tst-wordexp-tilde.c\n create mode 100644 posix/tst-wordexp-tilde.root/etc/group\n create mode 100644 posix/tst-wordexp-tilde.root/etc/nsswitch.conf\n create mode 100644 posix/tst-wordexp-tilde.root/etc/passwd", "diff": "diff --git a/posix/Makefile b/posix/Makefile\nindex a5e5162c61..b2de242321 100644\n--- a/posix/Makefile\n+++ b/posix/Makefile\n@@ -359,6 +359,7 @@ tests-internal := \\\n tests-container := \\\n bug-ga2 \\\n tst-vfork3 \\\n+ tst-wordexp-tilde \\\n # tests-container\n \n tests-time64 := \\\ndiff --git a/posix/tst-wordexp-tilde.c b/posix/tst-wordexp-tilde.c\nnew file mode 100644\nindex 0000000000..35f200a0b7\n--- /dev/null\n+++ b/posix/tst-wordexp-tilde.c\n@@ -0,0 +1,244 @@\n+/* Test wordexp tilde expansion with large usernames (BZ #XXXXX).\n+ Copyright (C) 2026 Free Software Foundation, Inc.\n+ This file is part of the GNU C Library.\n+\n+ The GNU C Library is free software; you can redistribute it and/or\n+ modify it under the terms of the GNU Lesser General Public\n+ License as published by the Free Software Foundation; either\n+ version 2.1 of the License, or (at your option) any later version.\n+\n+ The GNU C Library is distributed in the hope that it will be useful,\n+ but WITHOUT ANY WARRANTY; without even the implied warranty of\n+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU\n+ Lesser General Public License for more details.\n+\n+ You should have received a copy of the GNU Lesser General Public\n+ License along with the GNU C Library; if not, see\n+ <https://www.gnu.org/licenses/>. */\n+\n+#include <pwd.h>\n+#include <stdio.h>\n+#include <string.h>\n+#include <wordexp.h>\n+#include <stdlib.h>\n+#include <sys/resource.h>\n+\n+#include <support/check.h>\n+#include <support/support.h>\n+#include <support/xunistd.h>\n+#include <support/namespace.h>\n+\n+typedef void (*func_callback_t)(void);\n+\n+static void\n+subprocess_small_stack (void *closure)\n+{\n+ struct rlimit rl;\n+ TEST_COMPARE (getrlimit (RLIMIT_STACK, &rl), 0);\n+ rl.rlim_cur = 512 * 1024;\n+ TEST_COMPARE (setrlimit (RLIMIT_STACK, &rl), 0);\n+\n+ func_callback_t func_test = closure;\n+ func_test ();\n+}\n+\n+/* Build a string \"~<padding>/tail\" where <padding> is LEN bytes of the\n+ character CH. The caller must free the result. */\n+static char *\n+make_tilde_input (char ch, size_t len, const char *tail)\n+{\n+ /* ~ + len + / + tail + \\0 */\n+ size_t taillen = tail != NULL ? strlen (tail) : 0;\n+ size_t total = 1 + len + 1 + taillen + 1;\n+ char *buf = xmalloc (total);\n+ buf[0] = '~';\n+ memset (buf + 1, ch, len);\n+ buf[1 + len] = '/';\n+ if (tail != NULL)\n+ memcpy (buf + 1 + len + 1, tail, taillen);\n+ buf[total - 1] = '\\0';\n+ return buf;\n+}\n+\n+/* Test 1: A very long username must not crash. The username will not match\n+ any real user, so wordexp returns ~<long>/rest. */\n+static void\n+test_long_username (void)\n+{\n+ printf (\"info: test_long_username_no_crash\\n\");\n+\n+ static const char REST[] = \"rest\";\n+\n+ /* 1 MiB username — well beyond any reasonable stack frame. */\n+ const size_t long_len = 1024 * 1024;\n+ char *input = make_tilde_input ('A', long_len, REST);\n+\n+ wordexp_t we = { 0 };\n+ int ret = wordexp (input, &we, 0);\n+ /* The (non-existent) username is invalid, so wordexp falls back to\n+ literal output: ~AAA…/rest. */\n+ TEST_COMPARE (ret, 0);\n+ TEST_COMPARE (we.we_wordc, 1);\n+\n+ /* Verify prefix: '~' followed by long_len 'A's. */\n+ const char *result = we.we_wordv[0];\n+ TEST_COMPARE (result[0], '~');\n+ TEST_COMPARE (strlen (result),\n+\t 1 /* ~ */ + long_len + sizeof (REST));\n+ for (size_t j = 1; j <= long_len; j++)\n+ if (result[j] != 'A')\n+ {\n+\tprintf (\" mismatch at position %zu: expected 'A', got '%c'\\n\",\n+\t\tj, result[j]);\n+\tsupport_record_failure ();\n+\tbreak;\n+ }\n+ /* Verify the tail after the username. */\n+ TEST_COMPARE_STRING (result + 1 + long_len, \"/rest\");\n+\n+ wordfree (&we);\n+ free (input);\n+}\n+\n+/* Test 2: A username that just exceeds the default scratch_buffer inline\n+ size (1024 bytes) exercises the scratch_buffer_set_array_size growth path\n+ without being excessively large. */\n+static void\n+test_scratch_buffer_growth (void)\n+{\n+ printf (\"info: test_scratch_buffer_growth\\n\");\n+\n+ const size_t len = 2048;\n+ char *input = make_tilde_input ('x', len, NULL);\n+\n+ wordexp_t we = { 0 };\n+ int ret = wordexp (input, &we, 0);\n+ TEST_COMPARE (ret, 0);\n+ TEST_COMPARE (we.we_wordc, 1);\n+\n+ /* ~xxx…/ — the trailing slash makes a separate empty component, but\n+ wordexp merges it into the single token ~xxx…/. */\n+ const char *result = we.we_wordv[0];\n+ TEST_COMPARE (result[0], '~');\n+ for (size_t j = 1; j <= len; j++)\n+ if (result[j] != 'x')\n+ {\n+\tprintf (\" mismatch at position %zu\\n\", j);\n+\tsupport_record_failure ();\n+\tbreak;\n+ }\n+ TEST_COMPARE (result[1 + len], '/');\n+\n+ wordfree (&we);\n+ free (input);\n+}\n+\n+/* Test 3: ~root still resolves to the correct home directory through the\n+ __getpwnam_r path. */\n+static void\n+test_known_user (void)\n+{\n+ printf (\"info: test_known_user\\n\");\n+\n+ /* Look up root's home directory for comparison. */\n+ struct passwd *pw = getpwnam (\"root\");\n+ if (pw == NULL || pw->pw_dir == NULL)\n+ {\n+ printf (\" SKIP: cannot look up root\\n\");\n+ return;\n+ }\n+\n+ char *expected = xasprintf (\"%s/file\", pw->pw_dir);\n+\n+ wordexp_t we = { 0 };\n+ TEST_COMPARE (wordexp (\"~root/file\", &we, 0), 0);\n+ TEST_COMPARE (we.we_wordc, 1);\n+ TEST_COMPARE_STRING (we.we_wordv[0], expected);\n+\n+ wordfree (&we);\n+ free (expected);\n+}\n+\n+/* Test 4: Bare tilde expands to $HOME. */\n+static void\n+test_bare_tilde (void)\n+{\n+ printf (\"info: test_bare_tilde\\n\");\n+\n+ const char *home = getenv (\"HOME\");\n+ if (home == NULL)\n+ {\n+ printf (\" SKIP: HOME is not set\\n\");\n+ return;\n+ }\n+\n+ wordexp_t we = { 0 };\n+ TEST_COMPARE (wordexp (\"~\", &we, 0), 0);\n+ TEST_COMPARE (we.we_wordc, 1);\n+ TEST_COMPARE_STRING (we.we_wordv[0], home);\n+\n+ wordfree (&we);\n+}\n+\n+/* Test 5: Short non-existent username falls back to literal ~username output,\n+ exercising the invalid-login-name path. */\n+static void\n+test_unknown_user (void)\n+{\n+ printf (\"info: test_unknown_user\\n\");\n+\n+ /* Pick a username that is extremely unlikely to exist. */\n+ wordexp_t we = { 0 };\n+ TEST_COMPARE (wordexp (\"~no_such_user_xyzzy42\", &we, 0), 0);\n+ TEST_COMPARE (we.we_wordc, 1);\n+ TEST_COMPARE_STRING (we.we_wordv[0], \"~no_such_user_xyzzy42\");\n+\n+ wordfree (&we);\n+}\n+\n+/* Test 6: Tilde with username and WRDE_APPEND — exercises parse_tilde's\n+ interaction with the WRDE_APPEND word list. */\n+static void\n+test_tilde_with_append (void)\n+{\n+ printf (\"info: test_tilde_with_append\\n\");\n+\n+ const char *home = getenv (\"HOME\");\n+ if (home == NULL)\n+ {\n+ printf (\" SKIP: HOME is not set\\n\");\n+ return;\n+ }\n+\n+ wordexp_t we = { 0 };\n+ TEST_COMPARE (wordexp (\"first\", &we, 0), 0);\n+\n+ TEST_COMPARE (wordexp (\"~/path\", &we, WRDE_APPEND), 0);\n+ TEST_COMPARE (we.we_wordc, 2);\n+ TEST_COMPARE_STRING (we.we_wordv[0], \"first\");\n+\n+ char *expected = xasprintf (\"%s/path\", home);\n+ TEST_COMPARE_STRING (we.we_wordv[1], expected);\n+\n+ wordfree (&we);\n+ free (expected);\n+}\n+\n+static int\n+do_test (void)\n+{\n+ test_known_user ();\n+ test_bare_tilde ();\n+ test_unknown_user ();\n+ test_tilde_with_append ();\n+\n+ support_isolate_in_subprocess (subprocess_small_stack,\n+\t\t\t\t test_long_username);\n+\n+ support_isolate_in_subprocess (subprocess_small_stack,\n+\t\t\t\t test_scratch_buffer_growth);\n+\n+ return 0;\n+}\n+\n+#include <support/test-driver.c>\ndiff --git a/posix/tst-wordexp-tilde.root/etc/group b/posix/tst-wordexp-tilde.root/etc/group\nnew file mode 100644\nindex 0000000000..1dbf9013ee\n--- /dev/null\n+++ b/posix/tst-wordexp-tilde.root/etc/group\n@@ -0,0 +1 @@\n+root:x:0:\ndiff --git a/posix/tst-wordexp-tilde.root/etc/nsswitch.conf b/posix/tst-wordexp-tilde.root/etc/nsswitch.conf\nnew file mode 100644\nindex 0000000000..098a8d5938\n--- /dev/null\n+++ b/posix/tst-wordexp-tilde.root/etc/nsswitch.conf\n@@ -0,0 +1,3 @@\n+passwd: files\n+group: files\n+shadow: files\ndiff --git a/posix/tst-wordexp-tilde.root/etc/passwd b/posix/tst-wordexp-tilde.root/etc/passwd\nnew file mode 100644\nindex 0000000000..eb85a552ad\n--- /dev/null\n+++ b/posix/tst-wordexp-tilde.root/etc/passwd\n@@ -0,0 +1 @@\n+root:x:0:0:root:/root:/bin/sh\ndiff --git a/posix/wordexp.c b/posix/wordexp.c\nindex 4a8541add4..a6b9391906 100644\n--- a/posix/wordexp.c\n+++ b/posix/wordexp.c\n@@ -335,17 +335,29 @@ parse_tilde (char **word, size_t *word_length, size_t *max_length,\n else\n {\n /* Look up user name in database to get home directory */\n- char *user = strndupa (&words[1 + *offset], i - (1 + *offset));\n- struct passwd pwd, *tpwd;\n- int result;\n+ size_t userlen = i - (1 + *offset);\n+ /* tmpbuf contains both the user and the __getpwnam_r working area. */\n struct scratch_buffer tmpbuf;\n scratch_buffer_init (&tmpbuf);\n+ if (!scratch_buffer_set_array_size (&tmpbuf, userlen + 1, 1))\n+\treturn WRDE_NOSPACE;\n+ char *user = tmpbuf.data;\n+ memcpy (user, &words[1 + *offset], userlen);\n+ user[userlen] = '\\0';\n \n- while ((result = __getpwnam_r (user, &pwd, tmpbuf.data, tmpbuf.length,\n-\t\t\t\t &tpwd)) != 0\n-\t && errno == ERANGE)\n-\tif (!scratch_buffer_grow (&tmpbuf))\n-\t return WRDE_NOSPACE;\n+ struct passwd pwd, *tpwd;\n+ int result;\n+ while ((result = __getpwnam_r (user,\n+\t\t\t\t &pwd,\n+\t\t\t\t tmpbuf.data + userlen + 1,\n+\t\t\t\t tmpbuf.length - userlen - 1,\n+\t\t\t\t &tpwd)\n+\t != 0))\n+\t{\n+\t if (!scratch_buffer_grow_preserve (&tmpbuf))\n+\t return WRDE_NOSPACE;\n+\t user = tmpbuf.data;\n+\t}\n \n if (result == 0 && tpwd != NULL && pwd.pw_dir)\n \t*word = w_addstr (*word, word_length, max_length, pwd.pw_dir);\n", "prefixes": [] }