From cfdc27c613d74fb981ef1e80d858f7fa61838e9a Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 21 May 2026 07:11:30 +1000 Subject: [PATCH] t_stub.c: raise max_alloc default so test helpers can allocate The t_stub.c shim defined max_alloc = 0 as a placeholder to satisfy the link against util2.o. This was harmless when the test helpers made no allocations, but the secure_relative_open() implementation in 3.4.0+ calls my_strdup() in its per-component O_NOFOLLOW fallback (syscall.c around line 1857), and the 3.4.3 do_*_at() hardening series added more such calls. With max_alloc=0, every allocation in that path trips the 'exceeded --max-alloc=0' check in util2.c's my_alloc(), and t_chmod_secure (which exercises do_chmod_at via secure_relative_open) fails on the very first my_strdup. The failure is invisible on Linux 5.6+ / FreeBSD 13+ / macOS 15+ / recent Cygwin because those platforms take the kernel-enforced openat2(RESOLVE_BENEATH) or openat(O_RESOLVE_BENEATH) branch and never reach the per-component fallback. It also goes unobserved on the SunOS/OpenBSD/NetBSD/CYGWIN* CI runners because the chmod-symlink-race.test script case-skips on those platforms (the legitimate dir-symlink scenario the test exercises can't pass on the per-component fallback). HPE NonStop is the first platform that lacks RESOLVE_BENEATH support AND isn't in the skip list AND has someone actually running the test suite, so it surfaced the latent bug. Raise max_alloc to SIZE_MAX so the helpers can allocate freely. A follow-up patch makes t_chmod_secure adapt at runtime so the skip list can be removed and the per-component fallback gets real CI coverage. --- t_stub.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/t_stub.c b/t_stub.c index 63bc144c..b15af77f 100644 --- a/t_stub.c +++ b/t_stub.c @@ -36,7 +36,12 @@ int preserve_perms = 0; int preserve_executability = 0; int omit_link_times = 0; int open_noatime = 0; -size_t max_alloc = 0; /* max_alloc is needed when combined with util2.o */ +size_t max_alloc = (size_t)-1; /* test helpers are not memory-constrained; + * 0 here makes every my_alloc()/my_strdup() in + * util2.c trip the "exceeded --max-alloc=0" + * check, which any helper exercising the + * per-component fallback of secure_relative_open() + * hits at its first my_strdup() call. */ char *partial_dir; char *module_dir; filter_rule_list daemon_filter_list;