From owner-freebsd-bugs  Tue Jan 28 02:00:13 1997
Return-Path: <owner-bugs>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id CAA03612
          for bugs-outgoing; Tue, 28 Jan 1997 02:00:13 -0800 (PST)
Received: (from gnats@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id CAA03591;
          Tue, 28 Jan 1997 02:00:08 -0800 (PST)
Resent-Date: Tue, 28 Jan 1997 02:00:08 -0800 (PST)
Resent-Message-Id: <199701281000.CAA03591@freefall.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, jau@iki.fi
Received: from jau.thunderbolt.fi (root@jukkonen.dial.tele.fi [194.89.253.78])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id BAA03290
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 28 Jan 1997 01:51:39 -0800 (PST)
Received: (from jau@localhost) by jau.thunderbolt.fi (8.7.5/8.6.12+CSC-2.1) id KAA13618; Tue, 28 Jan 1997 10:46:00 +0200 (EET)
Message-Id: <199701280846.KAA13618@jau.thunderbolt.fi>
Date: Tue, 28 Jan 1997 10:46:00 +0200 (EET)
From: Jukka Ukkonen <jau@jau.thunderbolt.fi>
Reply-To: jau@iki.fi
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: bin/2605: Buffer overflow in Paul Vixie's cron
Sender: owner-bugs@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         2605
>Category:       bin
>Synopsis:       Buffer overflow in Paul Vixie's cron
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 28 02:00:06 PST 1997
>Last-Modified:
>Originator:     Jukka Ukkonen
>Organization:
Private person
>Release:        FreeBSD 2.1-STABLE i386
>Environment:

	This is a system software problem which is independent of the
	hardware environment in which the program is running.

>Description:

	There was a possibility to cause an overflow of a string buffer
	in Vixie's cron implementation by defining very long names for
	environment variables. This erroneous behaviour could create
	a security problem unless fixed ASAP.

	The bug was found after a similar bug was reported in Linux,
	which uses a different version of Vixie's cron.

>How-To-Repeat:

	Make a crontab entry using an environment variable definition
	of the form

	A_VERY_LONG_ENVIRONMENT_ ... _VARIABLE_NAME=some_value

>Fix:
	
	See the attached patch...


--- cron/lib/env.c.orig	Sat Aug 27 16:43:02 1994
+++ cron/lib/env.c	Tue Dec 24 11:45:40 1996
@@ -117,6 +117,8 @@
 	int	fileline;
 	char	name[MAX_TEMPSTR], val[MAX_ENVSTR];
 	int	fields;
+	size_t	envlen;
+	char	*ptr;
 
 	filepos = ftell(f);
 	fileline = LineNumber;
@@ -125,6 +127,20 @@
 		return (ERR);
 
 	Debug(DPARS, ("load_env, read <%s>\n", envstr))
+
+	ptr = strpbrk (envstr, "=\n");
+
+	if (! ptr)
+	    envlen = strlen (envstr);
+	else
+	    envlen = ptr - envstr;
+
+	if (envlen >= MAX_TEMPSTR) {
+	    Debug(DPARS, ("load_env, var name too long\n"))
+	    fseek(f, filepos, 0);
+	    Set_LineNum(fileline);
+	    return (FALSE);
+	}
 
 	name[0] = val[0] = '\0';
 	fields = sscanf(envstr, "%[^ =] = %[^\n#]", name, val);
>Audit-Trail:
>Unformatted: