Date: Sun, 15 Dec 1996 12:17:16 +0200 (SAT) From: Johann Tonsing <jtonsing@zibbi.mikom.csir.co.za> To: freebsd-security@freebsd.org Cc: jhay@zibbi.mikom.csir.co.za (John Hay), roelof@cube.nanoteq.co.za (Roelof Temmingh) Subject: crontab buffer overflow fix Message-ID: <199612151017.MAA09130@zibbi.mikom.csir.co.za>
next in thread | raw e-mail | index | archive | help
Hi! Here's a fix for the crontab buffer overflow problem. The Filename[] overflow seems to be the actual problem, but I've fixed a potential problem with User[] as well. (Not trusting the output of getpwuid() might be *too* paranoid though!) JT -- jtonsing@mikom.csir.co.za, Voice: +27 82 569-2323, Fax/Ans: +27 12 43-5643, S-mail: 173 Duxbury Rd, Hatfield, 0083 Pretoria, South Africa. PGP public key: ftp://skeleton.mikom.csir.co.za/pub/netsec.pgp/jtonsing.pub Send anonymous mail to jt-anon@zibbi.mikom.csir.co.za (no reply possible) *************************************************************************** --- crontab.c Sun Dec 15 12:00:41 1996 +++ crontab.c.old Thu May 2 14:57:40 1996 @@ -144,8 +144,7 @@ fprintf(stderr, "bailing out.\n"); exit(ERROR_EXIT); } - strncpy(User, pw->pw_name, sizeof(User)-1); - User[sizeof(User)-1] = '\0'; + strcpy(User, pw->pw_name); strcpy(RealUser, User); Filename[0] = '\0'; Option = opt_unknown; @@ -168,8 +167,7 @@ ProgramName, optarg); exit(ERROR_EXIT); } - strncpy(User, optarg, sizeof(User)-1); - User[sizeof(User)-1] = '\0'; + (void) strcpy(User, optarg); break; case 'l': if (Option != opt_unknown) @@ -200,8 +198,7 @@ } else { if (argv[optind] != NULL) { Option = opt_replace; - strncpy (Filename, argv[optind], sizeof(Filename)-1); - Filename[sizeof(Filename)-1] = '\0'; + (void) strcpy (Filename, argv[optind]); } else { usage("file name must be specified for replace"); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199612151017.MAA09130>