From owner-freebsd-audit  Thu Oct  4  2:17:51 2001
Delivered-To: freebsd-audit@freebsd.org
Received: from ringworld.nanolink.com (straylight.ringlet.net [217.75.134.254])
	by hub.freebsd.org (Postfix) with SMTP id 95C1937B403
	for <freebsd-audit@FreeBSD.org>; Thu,  4 Oct 2001 02:17:36 -0700 (PDT)
Received: (qmail 7829 invoked by uid 1000); 4 Oct 2001 09:16:40 -0000
Date: Thu, 4 Oct 2001 12:16:40 +0300
From: Peter Pentchev <roam@ringlet.net>
To: freebsd-net@FreeBSD.org
Cc: freebsd-audit@FreeBSD.org
Subject: [CFR] whois(1) out-of-bound access patch
Message-ID: <20011004121640.C1959@ringworld.oblivion.bg>
Mail-Followup-To: freebsd-net@FreeBSD.org, freebsd-audit@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-audit.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-audit>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-audit>
X-Loop: FreeBSD.ORG

Hi,

As described in PR bin/30968, whois(1) may access invalid data when
the whois server returns a non-newline-terminated string.
While it is true that the whois server maintainers should do a better
job of following standards and such, still the 'be liberal in what
you accept' mindset might be applied in this case, to fix what is
ultimately a subtle fgetln(3) use bug :)

Any harm in committing the attached patch?  And this - or something
like this - should be done soon; all FreeBSD whois clients currently
display weird behavior when querying .biz domains :\

G'luck,
Peter

-- 
because I didn't think of a good beginning of it.

Index: src/usr.bin/whois/whois.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/whois/whois.c,v
retrieving revision 1.24
diff -u -r1.24 whois.c
--- src/usr.bin/whois/whois.c	2001/08/05 19:37:12	1.24
+++ src/usr.bin/whois/whois.c	2001/10/04 14:03:33
@@ -51,6 +51,7 @@
 #include <arpa/inet.h>
 #include <ctype.h>
 #include <err.h>
+#include <errno.h>
 #include <netdb.h>
 #include <stdarg.h>
 #include <stdio.h>
@@ -251,7 +252,7 @@
 {
 	FILE *sfi, *sfo;
 	struct addrinfo *res2;
-	char *buf, *nhost, *p;
+	char *abuf, *buf, *nhost, *p;
 	int i, nomatch, s;
 	size_t len;
 
@@ -275,6 +276,16 @@
 	nhost = NULL;
 	nomatch = 0;
 	while ((buf = fgetln(sfi, &len)) != NULL) {
+		abuf = NULL;
+		if ((len == 0) || !isspace(buf[len - 1])) {
+			abuf = calloc(1, len + 1);
+			if (abuf == NULL) {
+				errno = ENOMEM;
+				err(1, "reallocating");
+			}
+			memcpy(abuf, buf, len);
+			buf = abuf;
+		}
 		while (len && isspace(buf[len - 1]))
 			buf[--len] = '\0';
 
@@ -304,6 +315,7 @@
 				nomatch = 1;
 		}
 		printf("%s\n", buf);
+		free(abuf);
 	}
 
 	/* Do second lookup as needed. */

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message