From owner-freebsd-current@FreeBSD.ORG  Sat Apr 19 20:23:05 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6717A37B401; Sat, 19 Apr 2003 20:23:05 -0700 (PDT)
Received: from obsecurity.dyndns.org (adsl-67-115-75-1.dsl.lsan03.pacbell.net
	[67.115.75.1])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 481C443FCB; Sat, 19 Apr 2003 20:23:04 -0700 (PDT)
	(envelope-from kris@obsecurity.org)
Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5])
	by obsecurity.dyndns.org (Postfix) with ESMTP
	id A538966B9B; Sat, 19 Apr 2003 20:23:03 -0700 (PDT)
Received: by rot13.obsecurity.org (Postfix, from userid 1000)
	id 75133149E; Sat, 19 Apr 2003 20:23:03 -0700 (PDT)
Date: Sat, 19 Apr 2003 20:23:03 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: audit@FreeBSD.org, current@FreeBSD.org
Message-ID: <20030420032303.GA25568@rot13.obsecurity.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="J2SCkAp4GZ/dPZZf"
Content-Disposition: inline
User-Agent: Mutt/1.4i
Subject: Buffer overflow in disklabel
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Apr 2003 03:23:05 -0000


--J2SCkAp4GZ/dPZZf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Run the following under /bin/sh (not tcsh, which - still! - has a bug
that causes the command to hang tcsh):

# disklabel `perl -e 'print "a"x51200'`
Segmentation fault (core dumped)

The responsible code is:

        dkname = argv[0];
        if (dkname[0] != '/') {
                (void)sprintf(np, "%s%s%c", _PATH_DEV, dkname, 'a' + RAW_PART);
                specname = np;
                np += strlen(specname) + 1;
        } else
                specname = dkname;
        f = open(specname, op == READ ? O_RDONLY : O_RDWR);
        if (f < 0 && errno == ENOENT && dkname[0] != '/') {
                (void)sprintf(specname, "%s%s", _PATH_DEV, dkname);
                np = namebuf + strlen(specname) + 1;
                f = open(specname, op == READ ? O_RDONLY : O_RDWR);
        }

i.e. overflowing an 8k buffer.  Does anyone feel like fixing it?

Kris
--J2SCkAp4GZ/dPZZf
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+ohKWWry0BWjoQKURAhbAAKDTuOfY5WfVGl4Q9XLR6xx2yjEgpgCgj0b8
RhHKKN57WHNGYSFJAh/JPhg=
=0FQu
-----END PGP SIGNATURE-----

--J2SCkAp4GZ/dPZZf--