DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 63LI4FA71568626
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 63LI4FA71568626
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=hhKStfDS
X-Recipient: archive-cygwin@delorie.com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 634334BA2E24
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1776794654;
	bh=xukWBMHLGuE/CMRe/Y+UL6HEozQGpwtdKbv2GOxUas8=;
	h=To:Subject:Date:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	 From;
	b=hhKStfDSEdpqWCyGh+kHt2n2OC8pO4uBaCpFdu5xixzqoMLK06fN8VlojAygzXAZQ
	 yVwKWqiz+Y27FHBZYIK2uAoRXreJ1pIZIaWIgMfvRSopEpxYj/NPr5tfSsXt40hd+1
	 +wG7XxCHrVsbRWjO7wowFj5dWrzIAICY43EPj2Fs=
X-Original-To: cygwin@cygwin.com
Delivered-To: cygwin@cygwin.com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 2E3564BA2E24
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 2E3564BA2E24
ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1776794633; cv=pass;
 b=OBn5F8vnPeuAIHah8PbcV/audaQ5bR2m/3bt4ijN+g2SgtKJkdA5ILkfhChTt4z7R+Qr8QD9W5VghBdVGyyDH2FgmLYKHDeD03gVKT/ZZ6tBhtVa6QRQW785SwI3AraIclKMGEdPO/EZILDOcqEijMVyZDUC6folmAFui4cjXPs=
ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key;
 t=1776794633; c=relaxed/simple;
 bh=KzzaGVKrQ+90K1X6IR4akL0+rtati3NVc+4J8LkJdKg=;
 h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version;
 b=hMnUsP9mI3p6rIJQCnPq6V8HnFYTisBv2tSNSlSP9BAfPw6lDWVxcqJdcEfBLACR70mcSIKT3yq34T+fI9+CHG+Z3llK0RP2+J0HzY1fYZoMdoRdPM20JeKvzswuHq/JBwBubZQBlwk2LqCIHhuh0Y1nnbamPk09BzRfvMA2MAs=
ARC-Authentication-Results: i=2; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2E3564BA2E24
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=Q5HuRRVVVe+FhMoMVl8nEuyvODxvTL+Y98R/bK7A946enSNqd15LhCNTHJwHhQZMz8On44M4RGI3Z4btdwT/Fyuj+rq0my9G35Qpj6fOROaEiJkRUYj53LE3CjWtdT5/Nr8eudQub4AMFlNeniyxLmdRehbjjtCkcoRl9TUttxs14Npopvod06krg+SwAxy7Loj/lzpNfOLsiqDWEQAWNHARfP2z2ak8A6nCI/UWAVD1UWzEYVHhYoffT0yY3y2MiqGdqBaVH+cFoOMtLICi0OObatQg7DN8/s9lxFwj20fR3BzZ7/jt/wn5dRHesmMyLeTDdXSYwmP2eIigKmp2Og==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=KzzaGVKrQ+90K1X6IR4akL0+rtati3NVc+4J8LkJdKg=;
 b=s9r3TMUlmojjklDm6IALJCj0jETv+2YSWHazPH7qL7f2tkgM2ekZERY9NDOivRf5GfOufa6zI07/Wr6eyYxL6/LPNETjmC5Zf/n7tF07J2BNUCydHBgyNbQ2GBE9SH1k4gBsw83HX9dlMIrHEeXE8ZrAo2MfJsJywkLmWwCvWQz7a2l9f00m6qSjTY6825WwItLrFDwn6P3VS6d0Lsyg35K09UhL/SMLm/Ph58TPDJNnyc4RTbLraGEU9hgK6gvZd85wZYm5P9q0L3Pl0Lf0/43TVb8rpd04MAfHO87qk/YLRy/u7j99QqF434+bols22CifhKay9RaBNU/MDGWMKQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=rackwareinc.com; dmarc=pass action=none
 header.from=rackwareinc.com; dkim=pass header.d=rackwareinc.com; arc=none
To: "cygwin@cygwin.com" <cygwin@cygwin.com>
Subject: Re: cygrunsrv CWE-428
Thread-Topic: cygrunsrv CWE-428
Thread-Index: AQHc0Z8vfYW0xySVgESlBlNs5u8n1bXpzMCAgAAAMEU=
Date: Tue, 21 Apr 2026 18:03:45 +0000
Message-ID: <SJ1PR10MB6003CBA95C1292F7CBB8D963F82C2@SJ1PR10MB6003.namprd10.prod.outlook.com>
References: <ee2370b2-34d7-4501-8a4c-49f0b1abd13f@rackwareinc.com>
 <aee5_xG7tKyT_-9k@calimero.vinschen.de>
In-Reply-To: <aee5_xG7tKyT_-9k@calimero.vinschen.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
msip_labels: 
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ1PR10MB6003:EE_|CH2PR10MB4168:EE_
x-ms-office365-filtering-correlation-id: fda9e85b-6e74-460b-aef0-08de9fd054da
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
 ARA:13230040|1800799024|376014|366016|38070700021|18002099003|56012099003|22082099003;
x-microsoft-antispam-message-info: AaV1wJTFeMdsF3pIfly1mm35k0eJ357jwbEGhOqTN1vxY1fm6UT/4LjkSd4mV7rK6eRHTgQbPGNnZyXBGfeQwsmQTOscTkNRvFydeYQ8+MrduIfmtwMGgp1vxL3xTne3yyOV+iRWqNsvqwjyZVr/uJFX+VTOpeXjkoD1/HnsQZ+Oc2NJ36v2gwZqAn6jl5s+1s/rWKPQt2ozF5JrozeCfXgnIVMdgmyMfohfcGxVhOgZYhQ2CPxUFg/5voMXxSFtmAmwytFTyaAsRtkjiLSEMvFhQTv0+bjweKBgTb94SQIlYm3IWfsCni2LuVy1iThi2Xghh8lMzufiKrPKjw0Ll3pIr4YmdzCPHDKBYJsy8IV2OdYxF7AuNv6FG8g53d4gmmzbx7AHxypYtcC8ZIF3h49Ph2MP13FkRl+YWw1A5Y5FAPkOxA5hxSYIAYA1cCOQ9N1F7JiLy33sFDiXBqDe+f7IOpHj1YGqT+Ivuo5/xooSB6WHhcicsEs6Jm1Ugwk91J20b4QCTka8Xw0RbHvyXZpeTHJvaq5ZhdbLwJ9rEVgKQaQhtK8gNREOb07XTiiP77Yc2tnGDTDRyOUPtCAmCoDyJJsN2YFZwNbVohRM7ZK+y/Ggk5Q8yhiAvzwZ8QokbSy/lNXi2n2iHsB+wPMi7T3cWd95XE7Pxhffj/jEtfU7dTSNoJZ2HpOfbZlxnDzjZCBvYeUtkLj1QYRjRhD1PM1WznZBoExQFgncT6WaXEOEeZonJXoK4P+ykTUUoPFbD9InMRdmaURQWvFm5hyiFjIrjsm/AE0G5Af+1MkNapM=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:SJ1PR10MB6003.namprd10.prod.outlook.com; PTR:; CAT:NONE;
 SFS:(13230040)(1800799024)(376014)(366016)(38070700021)(18002099003)(56012099003)(22082099003);
 DIR:OUT; SFP:1102; 
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?TaYNW3ZS+mPvuwAQIQZ5cCPz6SdWZzrNnrwhFYe42ron8pK6t+7vHcYm4E?=
 =?iso-8859-1?Q?wT6x+eX6Qp3oC8Jr5M3dhl99zL6zOY3Owmbj9ru8mDk3Q1kn8pXsQ2UeEa?=
 =?iso-8859-1?Q?bQP2pewwJw5NlRJ2Hj94qJQYIV9ypKZpFsEfmLd5YZ2J6MyjmV3IT2WCoN?=
 =?iso-8859-1?Q?nT8Fy5/REj8lJ+bndKyTmjPHVbpDwNsCycv8W5rYqVuBskbNNYqW9DJsDD?=
 =?iso-8859-1?Q?SYXocNbkRAPa0jy+cg6ARIobvLxnsi3EdwynQ1OWVfgIoZ+QcLIT3VRHyO?=
 =?iso-8859-1?Q?aIDo8THcj28Bzxc7ikhx3jTTV23bt+YWpyXUvGi15Y0IQPrnnTQ4bGsNgR?=
 =?iso-8859-1?Q?oyg0xqjx/xY34zHwEASDNr3AvwfQQ5lsD/xoAWuCnDst+BT+erN1ev5LGj?=
 =?iso-8859-1?Q?u4y+1JaNOcr8NmWI/qI9WYP5iH6BWgGYgvAXAppIUWWyGjuELN5s5F6MA5?=
 =?iso-8859-1?Q?FGrTNgYfpqfy+i5cSHywCz/XOiu8jLf+KIutIyHfMRWUEW+eHfh68etg7E?=
 =?iso-8859-1?Q?38sKbbgRTw7DI2IyAsUTyjHcrBcYN1SigmZ8oVMlwW1zURAYRVmhQZUzXF?=
 =?iso-8859-1?Q?MzZSuWmWTLTiw9PjkjseAJRubDos7VxRE9AYwdQb9/rSHGS5IRx7mRS3zf?=
 =?iso-8859-1?Q?7uJee5rfboL+RMUeoQQNJx1u9Og4nI89FaQnuK9ArvJW0uqFIR9Ukb2G2I?=
 =?iso-8859-1?Q?EY0ETe6sVFH4lppgkdjx7vXmgbbmwPt3/FN4e6wmrjQ45I5CzJt6ZqxRJ/?=
 =?iso-8859-1?Q?ngKk34ucYMasv362EO62kFOYM/7ZXg3sHgVT+fnW8B0rpGxRBEnLXu+Nmj?=
 =?iso-8859-1?Q?tRK0diqrAYps5iuVEZXIdAP/4Bnq6FlGXySx5SKX1kKVopnnjt4y98PLeg?=
 =?iso-8859-1?Q?ffaAWSoDklPg2MZ+uDYxrEvBits0BE7lcVguaBg74Wm9CN/8w2tjf28GE5?=
 =?iso-8859-1?Q?lZe4xFzCWtoOi0QRwTXZSAZ+F991duQ4bp0eo+529NdRnCXXY91IlvTtBy?=
 =?iso-8859-1?Q?uizYtSqzIjeC2iGgr0XXS0efqiSHawAtSl6v74AAqOPa15v3ah20Te5DcS?=
 =?iso-8859-1?Q?+zfP//6GOAw4E3kyCB0citeVd1mHzZIKESwIe3WNdKi5gFBfFG1E3XkmgT?=
 =?iso-8859-1?Q?5F6ytYeEgKin6LYy0SNkiv9TVM0jGAA6VejjLl1PYeIzAinRiPm8IHcrK9?=
 =?iso-8859-1?Q?H6aHbNw+ixvp4WD/8M2H2uf7qVylKb29sf05RCYkgimGJnZKmOBiGu3QTm?=
 =?iso-8859-1?Q?IgrPlg6X4cLQPzq5ziGmJ2jGvncRy95wYWMTfIbocLSX/ou6X1FY8JQZU2?=
 =?iso-8859-1?Q?KqLsoZtxdT7ugV/MlCMczIMtOlysWQ1JB85SFCui7d0N4CjUVh9nSnzYsO?=
 =?iso-8859-1?Q?j62g1WLch2VRtk3WBL9/KPVgrjGYY8t8JXsMvftXlu3Bu1opPj7LSRSO/6?=
 =?iso-8859-1?Q?8FMnwS1tfUmX6xeX8hOcfek7mjAhnGY+cPBoxFu4bDFoJFMRp/0eYDUOZq?=
 =?iso-8859-1?Q?ywQmnZ71pGE9/aDlWIPsVVHjw2sn28mcw9BgnMFfB1VN1OSqKwMwFoTrm1?=
 =?iso-8859-1?Q?bgIH/sfSQlFKgVRKHanHgqYz/xJdZzKL8JEhJxQxxXotzi+8GTgtlbFmKo?=
 =?iso-8859-1?Q?iR0pxOJEKZZPTcc82cRoJmqJiuOTLK/OCPOsKQ4Z9AD/WGsqtM9NLGdqCy?=
 =?iso-8859-1?Q?soUjNVWD8FwDVX+tDpTUQmWi1iaE1nQGrXMfc2ZPoqYdYSclt/hZoAcZGH?=
 =?iso-8859-1?Q?u+BXeOKLy7VekIUw5mwJFvkDsTL+z+4QMnAg3Z23ACN0MnRoajYZX8Hrl0?=
 =?iso-8859-1?Q?CCZj+cOW9w=3D=3D?=
MIME-Version: 1.0
X-OriginatorOrg: rackwareinc.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ1PR10MB6003.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fda9e85b-6e74-460b-aef0-08de9fd054da
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Apr 2026 18:03:45.8163 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: acce4151-9118-4e3b-8141-9a6210dbb561
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: H+H1NwC7Zfj6es7sv43Kg7DdtbGi0vpaY+bFyAYF3BfWDsL8oVu67alLnwTILHXx1uc1RbWe/SHxE+qrt+O1ucnxl2sQBm4maRFWAq0KC8Y=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4168
X-BeenThere: cygwin@cygwin.com
X-Mailman-Version: 2.1.30
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-request@cygwin.com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=subscribe>
From: James Warnock via Cygwin <cygwin@cygwin.com>
Reply-To: James Warnock <james.warnock@rackwareinc.com>
Content-Type: text/plain; charset="iso-8859-1"
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie.com@cygwin.com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id 63LI4FA71568626

Hello Corinna,

You are probably right. I'm not a very experienced Windows developer. I believe MAX_PATH is a constant provided by Windows, right? So, I guess I was thinking that was a hard limit that shouldn't be exceeded. But since this is being written to a registry value, maybe it is okay to exceed that.

Is it worth trying to improve that patch and submit it somewhere? I was assuming something like this should really be handled by someone who knows what they are doing. But I'm happy to help if I can. The patch should probably also try to avoid buffer overflows.

Thanks,
James
________________________________________
From: Corinna Vinschen <corinna-cygwin@cygwin.com>
Sent: Tuesday, April 21, 2026 11:55 AM
To: James Warnock <james.warnock@rackwareinc.com>
Cc: cygwin@cygwin.com <cygwin@cygwin.com>
Subject: Re: cygrunsrv CWE-428
 
Hi James,

thanks for the patch.  One point, though:

On Apr 21 08:57, James Warnock via Cygwin wrote:
> diff --git a/cygrunsrv.cc b/cygrunsrv.cc
> index dab8790..c3b04ee 100644
> --- a/cygrunsrv.cc
> +++ b/cygrunsrv.cc
> @@ -810,6 +810,7 @@ install_service (const char *name, const char *crspath, const char *disp,
>                 int interactive)
>  {
>    char mypath[MAX_PATH];
> +  char* mypath_p = mypath;
>    SC_HANDLE sm = (SC_HANDLE) 0;
>    SC_HANDLE sh = (SC_HANDLE) 0;
>    char userbuf[INTERNET_MAX_HOST_NAME_LENGTH + UNLEN + 2];
> @@ -824,28 +825,31 @@ install_service (const char *name, const char *crspath, const char *disp,
>    if (!san.server ())
>      check_system_mounts ();
> 
> +  mypath[0] = '"';
> +  mypath_p++;
>    if (crspath)                 /* Got path, nothing to do. */
>      {
> -      cygwin_conv_path (CCP_POSIX_TO_WIN_A, crspath, mypath, MAX_PATH);
> +      cygwin_conv_path (CCP_POSIX_TO_WIN_A, crspath, mypath_p, MAX_PATH-2);
                                                                  ^^^^^^^^^^

>        if (strcasecmp (mypath + strlen (mypath) - 4, ".exe") != 0)
>          strcat (mypath, ".exe");
>      }
>    else if (san.server ()) /* Figure out cygrunsrv path on remote server. */
>      {
> -      DWORD ret, type, size = MAX_PATH - 20;
> +      DWORD ret, type, size = MAX_PATH - 22;
                                 ^^^^^^^^^^^^^

Rather than further restricting the maximum path length, wouldn't it
make sense to raise the size of mypath to MAX_PATH + 2?


Thanks,
Corinna

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple