Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 28 Jan 1997 10:46:00 +0200 (EET)
From:      Jukka Ukkonen <jau@jau.thunderbolt.fi>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/2605: Buffer overflow in Paul Vixie's cron
Message-ID:  <199701280846.KAA13618@jau.thunderbolt.fi>
Resent-Message-ID: <199701281000.CAA03591@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         2605
>Category:       bin
>Synopsis:       Buffer overflow in Paul Vixie's cron
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 28 02:00:06 PST 1997
>Last-Modified:
>Originator:     Jukka Ukkonen
>Organization:
Private person
>Release:        FreeBSD 2.1-STABLE i386
>Environment:

	This is a system software problem which is independent of the
	hardware environment in which the program is running.

>Description:

	There was a possibility to cause an overflow of a string buffer
	in Vixie's cron implementation by defining very long names for
	environment variables. This erroneous behaviour could create
	a security problem unless fixed ASAP.

	The bug was found after a similar bug was reported in Linux,
	which uses a different version of Vixie's cron.

>How-To-Repeat:

	Make a crontab entry using an environment variable definition
	of the form

	A_VERY_LONG_ENVIRONMENT_ ... _VARIABLE_NAME=some_value

>Fix:
	
	See the attached patch...


--- cron/lib/env.c.orig	Sat Aug 27 16:43:02 1994
+++ cron/lib/env.c	Tue Dec 24 11:45:40 1996
@@ -117,6 +117,8 @@
 	int	fileline;
 	char	name[MAX_TEMPSTR], val[MAX_ENVSTR];
 	int	fields;
+	size_t	envlen;
+	char	*ptr;
 
 	filepos = ftell(f);
 	fileline = LineNumber;
@@ -125,6 +127,20 @@
 		return (ERR);
 
 	Debug(DPARS, ("load_env, read <%s>\n", envstr))
+
+	ptr = strpbrk (envstr, "=\n");
+
+	if (! ptr)
+	    envlen = strlen (envstr);
+	else
+	    envlen = ptr - envstr;
+
+	if (envlen >= MAX_TEMPSTR) {
+	    Debug(DPARS, ("load_env, var name too long\n"))
+	    fseek(f, filepos, 0);
+	    Set_LineNum(fileline);
+	    return (FALSE);
+	}
 
 	name[0] = val[0] = '\0';
 	fields = sscanf(envstr, "%[^ =] = %[^\n#]", name, val);
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701280846.KAA13618>