Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 23 Sep 1997 16:06:56 +1000 (EST)
From:      Ada T Lim <ada@not-enough.bandwidth.org>
To:        FreeBSD-gnats-submit@FreeBSD.ORG
Cc:        dholland@burgundy.eecs.harvard.edu
Subject:   bin/4610: potential buffer overrun in bootparamd
Message-ID:  <199709230606.QAA00814@polya.blah.org>
Resent-Message-ID: <199709230610.XAA21038@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         4610
>Category:       bin
>Synopsis:       potential buffer overrun in bootparamd
>Confidential:   yes
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 22 23:10:01 PDT 1997
>Last-Modified:
>Originator:     Ada T Lim
>Organization:
>Release:        FreeBSD 2.2-STABLE i386
>Environment:

>Description:

bootparamd copies h_name into askname, a statically sized buffer of 255
bytes.  MAXHOSTNAMELEN is 256 bytes.

patch written by David Holland (dholland@burgundy.eecs.harvard.edu)

>How-To-Repeat:
>Fix:
--- bootparamd.c.dist   Tue Sep 23 01:33:56 1997
+++ bootparamd.c        Tue Sep 23 01:39:26 1997
@@ -68,7 +68,9 @@
   if (debug) warnx("this is host %s", he->h_name);
   if (dolog) syslog(LOG_NOTICE,"This is host %s\n", he->h_name);

-  strcpy(askname, he->h_name);
+  strncpy(askname, he->h_name, sizeof(askname));
+  askname[sizeof(askname)-1] = 0;
+
   if (checkhost(askname, hostname) ) {
     res.client_name = hostname;
     getdomainname(domain_name, MAX_MACHINE_NAME);
@@ -123,7 +125,9 @@
   he = gethostbyname(getfile->client_name);
   if (! he ) goto failed;

-  strcpy(askname,he->h_name);
+  strncpy(askname, he->h_name, sizeof(askname));
+  askname[sizeof(askname)-1] = 0;
+
   if (getthefile(askname, getfile->file_id,buffer)) {
     if ( (where = index(buffer,':')) ) {
       /* buffer is re-written to contain the name of the info of file */
@@ -314,7 +318,8 @@
         he = gethostbyname(askname);
         if (he && !strcmp(askname, he->h_name)) {
          res = 1;
-         sprintf(hostname,"%s", he->h_name);
+         // XXX the length should really be an arg to this function...
+         snprintf(hostname, MAX_MACHINE_NAME, "%s", he->h_name);
        }
       }
       if (fclose(bpf))

>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709230606.QAA00814>