From owner-freebsd-audit  Sun Mar 19 23:12:10 2000
Delivered-To: freebsd-audit@freebsd.org
Received: from MailAndNews.com (MailAndNews.com [199.29.68.160])
	by hub.freebsd.org (Postfix) with ESMTP id ED4FB37B53C
	for <FreeBSD-audit@freebsd.org>; Sun, 19 Mar 2000 23:12:05 -0800 (PST)
	(envelope-from mheffner@mailandnews.com)
Received: from muriel.penguinpowered.com [208.138.199.76] (mheffner@mailandnews.com); Mon, 20 Mar 2000 02:11:58 -0500
X-WM-Posted-At: MailAndNews.com; Mon, 20 Mar 00 02:11:58 -0500
Content-Length: 3935
Message-ID: <XFMail.20000320021242.mheffner@mailandnews.com>
X-Mailer: XFMail 1.4.4 on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
Date: Mon, 20 Mar 2000 02:12:42 -0500 (EST)
Reply-To: Mike Heffner <spock@techfour.net>
From: Mike Heffner <mheffner@mailandnews.com>
To: FreeBSD-audit <FreeBSD-audit@freebsd.org>
Subject: three small patches - oflows
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hi,

Here are three small patches that fix misc. overflows. Could someone take a
quick look at them, and possibly commit :)



- ed patch, fixes "ed [4096]" overflow


Index: bin/ed/main.c
===================================================================
RCS file: /home/ncvs/src/bin/ed/main.c,v
retrieving revision 1.14
diff -u -r1.14 main.c
--- main.c      1999/08/27 23:14:14     1.14
+++ main.c      2000/03/20 07:08:33
@@ -175,7 +175,9 @@
                        if (read_file(*argv, 0) < 0 && !isatty(0))
                                quit(2);
                        else if (**argv != '!')
-                               strcpy(old_filename, *argv);
+                               if(strlcpy(old_filename, *argv,
+                                  sizeof(old_filename))>=sizeof(old_filename))
+                                       quit(2);
                } else if (argc) {
                        fputs("?\n", stderr);
                        if (**argv == '\0')
@@ -1346,7 +1348,7 @@
 
        REALLOC(file, filesz, MAXPATHLEN + 1, NULL);
        /* assert: no trailing escape */
-       while ((file[i++] = (*s == '\\') ? *++s : *s))
+       while (i < filesz-1 && (file[i++] = (*s == '\\') ? *++s : *s))
                s++;
        return file;
 }




- natd patch, fixes "natd -w [17000] blah" overflow


Index: sbin/natd/natd.c
===================================================================
RCS file: /home/ncvs/src/sbin/natd/natd.c,v
retrieving revision 1.25
diff -u -r1.25 natd.c
--- natd.c      2000/02/25 11:34:38     1.25
+++ natd.c      2000/03/04 03:42:07
@@ -421,9 +421,9 @@
 static void ParseArgs (int argc, char** argv)
 {
        int             arg;
-       char*           parm;
        char*           opt;
        char            parmBuf[256];
+       int             len; /* bounds checking */
 
        for (arg = 1; arg < argc; arg++) {
 
@@ -434,23 +434,25 @@
                        Usage ();
                }
 
-               parm = NULL;
                parmBuf[0] = '\0';
+               len = 0;
 
                while (arg < argc - 1) {
 
                        if (argv[arg + 1][0] == '-')
                                break;
 
-                       if (parm)
-                               strcat (parmBuf, " ");
+                       if (len){
+                               strncat (parmBuf, " ", sizeof(parmBuf)-len-1);
+                               len += strlen(parmBuf+len);
+                       }
 
                        ++arg;
-                       parm = parmBuf;
-                       strcat (parmBuf, argv[arg]);
+                       strncat (parmBuf, argv[arg], sizeof(parmBuf)-len-1);
+                       len += strlen(parmBuf+len);
                }
 
-               ParseOption (opt + 1, parm, 1);
+               ParseOption (opt + 1, (len ? parmBuf : NULL), 1);
        }
 }
 


- startslip patch, fixes "startslip -d [8192] -c [8192]" overflow




Index: sbin/startslip/startslip.c
===================================================================
RCS file: /home/ncvs/src/sbin/startslip/startslip.c,v
retrieving revision 1.31
diff -u -r1.31 startslip.c
--- startslip.c 1999/08/28 00:14:27     1.31
+++ startslip.c 2000/03/20 06:57:33
@@ -214,7 +214,9 @@
                dvname = devicename;
        else
                dvname++;
-       sprintf(pidfile, PIDFILE, _PATH_VARRUN, dvname);
+       if(snprintf(pidfile, sizeof(pidfile), PIDFILE, _PATH_VARRUN, dvname) >= 
+          sizeof(pidfile) )
+           usage();
        if ((pfd = fopen(pidfile, "r")) != NULL) {
                if (fscanf(pfd, "%ld\n", &lpid) == 1) {
                        pid = lpid;



Thanks,

/****************************************
 * Mike Heffner <spock@techfour.net>    *
 * Fredericksburg, VA -- ICQ# 882073    *
 * Sent at: 20-Mar-2000 -- 01:59:00 EST *
 * http://my.ispchannel.com/~mheffner   *
 ****************************************/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message