Bug#78678: hurd: symlink to empty name crashes libdiskfs

[Marcus . Brinkmann]

Package: hurd
Version: N/A
Severity: normal

>From the TODO file:

*** If the target of a symlink is the empty string, stat seems to spin forever 
!!!

This is not true, instead it crashes with E_BAD_ACCESS. Here is what
happens. Consider 'ln -s "" foo; cat foo'

libdiskfs/dir-lookup.c:

path is "foo", we enter the main loop.
foo is looked up with diskfs_lookup, it is a symlink.
This throws us into line 306:

      if (S_ISLNK (np->dn_stat.st_mode)
          && (!lastcomp
              || mustbedir      /* "foo/" must see that foo points to a dir */
              || !(flags & (O_NOLINK|O_NOTRANS))))
        {

....

          if (diskfs_read_symlink_hook)
            error = (*diskfs_read_symlink_hook)(np, pathbuf);

[Now pathbuf is left unchanged, because st_size is zero.]
....

          pathbuf[nextnamelen + np->dn_stat.st_size] = '\0';

[Now pathbuf is the empty string, our link target]
....

          path = pathbuf;

[Now path is the empty string]
....

          diskfs_nput (np);
          np = 0;
        }

[We drop the node np]
....

    } while (path && *path);

[Main loop is not entered again to look up the link target, as path is the
empty string]
....

  /* At this point, np is the node to return.  If newnode is set, then
     we just created this node.  */

 gotit:
  type = np->dn_stat.st_mode & S_IFMT;

[The comment does not tell the truth. We die when referencing np == 0]

This is a null pointer reference. I think we need a flag to say: This is a
symlink target, dereference even if path is "", but I haven't tried such a
change yet.

Thanks,
Marcus