Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 17 Oct 2025 11:55:21 GMT
From:      Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= <des@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 5854d1cbab10 - main - quot: Fix benign buffer overflow
Message-ID:  <202510171155.59HBtLTm004619@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch main has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=5854d1cbab1073d78519e7ad9a6eb5726341d587

commit 5854d1cbab1073d78519e7ad9a6eb5726341d587
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2025-10-17 11:54:48 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2025-10-17 11:54:48 +0000

    quot: Fix benign buffer overflow
    
    If it encounters an inode whose owner does not have a pw entry, quot
    allocates a 7-byte buffer (8 in practice, since that is the minimum
    allocation size) and uses it to store the numeric uid preceded by a
    hash character.  This will overflow the allocated buffer if the UID
    exceeds 6 decimal digits.  Avoid this by using asprintf() instead.
    
    While here, simplify the common case as well using strdup().
    
    Reported by:    Igor Gabriel Sousa e Souza <igor@bsdtrust.com>
    MFC after:      3 days
    Reviewed by:    obiwac, emaste
    Differential Revision:  https://reviews.freebsd.org/D53129
---
 usr.sbin/quot/quot.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/usr.sbin/quot/quot.c b/usr.sbin/quot/quot.c
index 4152c498371a..c11c46a500a1 100644
--- a/usr.sbin/quot/quot.c
+++ b/usr.sbin/quot/quot.c
@@ -280,14 +280,10 @@ user(uid_t uid)
 		    usr--) {
 			if (!usr->name) {
 				usr->uid = uid;
-
 				if (!(pwd = getpwuid(uid))) {
-					if ((usr->name = (char *)malloc(7)))
-						sprintf(usr->name,"#%d",uid);
+					asprintf(&usr->name, "#%u", uid);
 				} else {
-					if ((usr->name = (char *)
-					    malloc(strlen(pwd->pw_name) + 1)))
-						strcpy(usr->name,pwd->pw_name);
+					usr->name = strdup(pwd->pw_name);
 				}
 				if (!usr->name)
 					errx(1, "allocate users");
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202510171155.59HBtLTm004619>