From d0583c403952630c534b0605ff7d69af5ec473cc Mon Sep 17 00:00:00 2001
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Fri, 16 May 2014 00:03:37 +0200
Subject: ptsname_r: don't leak uninitialized memory (BZ #16917)

If the fd refers to a terminal device, but not a pty master, the
TIOCGPTN ioctl returns with ENOTTY. This error is not caught, and the
possibly undefined buffer passed to ptsname_r is sent directly to the
stat64 syscall.

Fix this by using a fallback to the old method only if the TIOCGPTN
ioctl fails with EINVAL. This also fix the return value in that specific
case (it return ENOENT without this patch).

Also add tests to the ptsname_r function (and ptsname at the same time).

Note: this is Debian bug#741482, reported by Jakub Wilk <jwilk@debian.org>
---
 sysdeps/unix/sysv/linux/ptsname.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'sysdeps/unix/sysv/linux/ptsname.c')

diff --git a/sysdeps/unix/sysv/linux/ptsname.c b/sysdeps/unix/sysv/linux/ptsname.c
index ed39f8f520..3fc14a73b2 100644
--- a/sysdeps/unix/sysv/linux/ptsname.c
+++ b/sysdeps/unix/sysv/linux/ptsname.c
@@ -105,7 +105,9 @@ __ptsname_internal (int fd, char *buf, size_t buflen, struct stat64 *stp)
 
       memcpy (__stpcpy (buf, devpts), p, &numbuf[sizeof (numbuf)] - p);
     }
-  else if (errno == EINVAL)
+  else if (errno != EINVAL)
+    return errno;
+  else
 #endif
     {
       char *p;
-- 
cgit 1.4.1