Date: Sat, 19 Apr 2003 20:23:03 -0700 From: Kris Kennaway <kris@obsecurity.org> To: audit@FreeBSD.org, current@FreeBSD.org Subject: Buffer overflow in disklabel Message-ID: <20030420032303.GA25568@rot13.obsecurity.org>
next in thread | raw e-mail | index | archive | help
--J2SCkAp4GZ/dPZZf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Run the following under /bin/sh (not tcsh, which - still! - has a bug
that causes the command to hang tcsh):
# disklabel `perl -e 'print "a"x51200'`
Segmentation fault (core dumped)
The responsible code is:
dkname = argv[0];
if (dkname[0] != '/') {
(void)sprintf(np, "%s%s%c", _PATH_DEV, dkname, 'a' + RAW_PART);
specname = np;
np += strlen(specname) + 1;
} else
specname = dkname;
f = open(specname, op == READ ? O_RDONLY : O_RDWR);
if (f < 0 && errno == ENOENT && dkname[0] != '/') {
(void)sprintf(specname, "%s%s", _PATH_DEV, dkname);
np = namebuf + strlen(specname) + 1;
f = open(specname, op == READ ? O_RDONLY : O_RDWR);
}
i.e. overflowing an 8k buffer. Does anyone feel like fixing it?
Kris
--J2SCkAp4GZ/dPZZf
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+ohKWWry0BWjoQKURAhbAAKDTuOfY5WfVGl4Q9XLR6xx2yjEgpgCgj0b8
RhHKKN57WHNGYSFJAh/JPhg=
=0FQu
-----END PGP SIGNATURE-----
--J2SCkAp4GZ/dPZZf--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030420032303.GA25568>