ptsname_r: don't leak uninitialized memory (BZ #16917)

If the fd refers to a terminal device, but not a pty master, the
TIOCGPTN ioctl returns with ENOTTY. This error is not caught, and the
possibly undefined buffer passed to ptsname_r is sent directly to the
stat64 syscall.

Fix this by using a fallback to the old method only if the TIOCGPTN
ioctl fails with EINVAL. This also fix the return value in that specific
case (it return ENOENT without this patch).

Also add tests to the ptsname_r function (and ptsname at the same time).

Note: this is Debian bug#741482, reported by Jakub Wilk <jwilk@debian.org>

5 files changed, 122 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index 29ffc2d621..a4db7030e4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2014-05-16  Aurelien Jarno  <aurelien@aurel32.net>
+
+	[BZ #16917]
+	* sysdeps/unix/sysv/linux/ptsname.c (__ptsname_internal): Return
+	errno if the TIOCGPTN ioctl fails with an error different than
+	EINVAL.
+	* login/tst-ptsname.c: New file.
+	* login/Makefile (tests): Add tst-ptsname.
+
 2014-05-15  Siddhesh Poyarekar  <siddhesh@redhat.com>
 
 	[BZ #16849]
diff --git a/NEWS b/NEWS
index 38d7214be2..256d9751d2 100644
--- a/NEWS
+++ b/NEWS
@@ -17,7 +17,7 @@ Version 2.20
   16712, 16713, 16714, 16731, 16739, 16740, 16743, 16754, 16758, 16759,
   16760, 16770, 16786, 16789, 16791, 16799, 16800, 16815, 16823, 16824,
   16831, 16838, 16849, 16854, 16876, 16877, 16885, 16888, 16890, 16912,
-  16916, 16922, 16927, 16928, 16932.
+  16916, 16917, 16922, 16927, 16928, 16932.
 
 * The minimum Linux kernel version that this version of the GNU C Library
   can be used with is 2.6.32.
diff --git a/login/Makefile b/login/Makefile
index ca55808127..d758ac5f71 100644
--- a/login/Makefile
+++ b/login/Makefile
@@ -43,7 +43,7 @@ endif
 subdir-dirs = programs
 vpath %.c programs
 
-tests := tst-utmp tst-utmpx tst-grantpt
+tests := tst-utmp tst-utmpx tst-grantpt tst-ptsname
 
 # Build the -lutil library with these extra functions.
 extra-libs      := libutil
diff --git a/login/tst-ptsname.c b/login/tst-ptsname.c
new file mode 100644
index 0000000000..edcdbc5ec5
--- /dev/null
+++ b/login/tst-ptsname.c
@@ -0,0 +1,108 @@
+/* Test for ptsname/ptsname_r.
+   Copyright (C) 2014 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+   Contributed by Aurelien Jarno <aurelien@aurel32.net>, 2014.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define DEV_TTY		"/dev/tty"
+#define PTSNAME_EINVAL	"./ptsname-einval"
+
+static int
+do_single_test (int fd, char *buf, size_t buflen, int expected_err)
+{
+
+  int ret = ptsname_r (fd, buf, buflen);
+  int err = errno;
+
+  if (expected_err == 0)
+    {
+      if (ret != 0)
+	{
+	  printf ("ptsname_r: expected: return = 0\n");
+	  printf ("           got: return = %d, errno = %d (%s)\n",
+	          ret, err, strerror (err));
+	  return 1;
+	}
+    }
+  else
+    {
+      if (ret == 0 || errno != expected_err)
+	{
+	  printf ("ptsname_r: expected: return = %d, errno = %d (%s)\n",
+	          -1, expected_err, strerror (expected_err));
+	  printf ("           got: return = %d, errno = %d (%s)\n",
+	          ret, err, strerror (err));
+	  return 1;
+	}
+    }
+
+  return 0;
+}
+
+static int
+do_test (void)
+{
+  char buf[512];
+  int result = 0;
+
+  /* Tests with a real PTS master.  */
+  int fd = posix_openpt (O_RDWR);
+  if (fd != -1)
+    {
+      result |= do_single_test (fd, buf, sizeof (buf), 0);
+      result |= do_single_test (fd, NULL, sizeof (buf), EINVAL);
+      result |= do_single_test (fd, buf, 1, ERANGE);
+      close (fd);
+    }
+  else
+    printf ("posix_openpt (O_RDWR) failed\nerrno %d (%s)\n",
+	    errno, strerror (errno));
+
+  /* Test with a terminal device which is not a PTS master.  */
+  fd = open (DEV_TTY, O_RDONLY);
+  if (fd != -1)
+    {
+      result |= do_single_test (fd, buf, sizeof (buf), ENOTTY);
+      close (fd);
+    }
+  else
+    printf ("open (\"%s\", O_RDWR) failed\nerrno %d (%s)\n",
+	    DEV_TTY, errno, strerror (errno));
+
+  /* Test with a file.  */
+  fd = open (PTSNAME_EINVAL, O_RDWR | O_CREAT, 0600);
+  if (fd != -1)
+    {
+      result |= do_single_test (fd, buf, sizeof (buf), ENOTTY);
+      close (fd);
+      unlink (PTSNAME_EINVAL);
+    }
+  else
+    printf ("open (\"%s\", O_RDWR | OCREAT) failed\nerrno %d (%s)\n",
+	    PTSNAME_EINVAL, errno, strerror (errno));
+
+  return result;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
diff --git a/sysdeps/unix/sysv/linux/ptsname.c b/sysdeps/unix/sysv/linux/ptsname.c
index ed39f8f520..3fc14a73b2 100644
--- a/sysdeps/unix/sysv/linux/ptsname.c
+++ b/sysdeps/unix/sysv/linux/ptsname.c
@@ -105,7 +105,9 @@ __ptsname_internal (int fd, char *buf, size_t buflen, struct stat64 *stp)
 
       memcpy (__stpcpy (buf, devpts), p, &numbuf[sizeof (numbuf)] - p);
     }
-  else if (errno == EINVAL)
+  else if (errno != EINVAL)
+    return errno;
+  else
 #endif
     {
       char *p;