From owner-freebsd-bugs  Mon Sep 22 23:10:06 1997
Return-Path: <owner-freebsd-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id XAA21045
          for bugs-outgoing; Mon, 22 Sep 1997 23:10:06 -0700 (PDT)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id XAA21038;
          Mon, 22 Sep 1997 23:10:02 -0700 (PDT)
Resent-Date: Mon, 22 Sep 1997 23:10:02 -0700 (PDT)
Resent-Message-Id: <199709230610.XAA21038@hub.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@FreeBSD.ORG, ada@not-enough.bandwidth.org
Received: from polya.blah.org (slmel12p01.ozemail.com.au [203.108.200.89])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA20771
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 22 Sep 1997 23:07:06 -0700 (PDT)
Received: (from ada@localhost)
          by polya.blah.org (8.8.6/8.8.5) id QAA00814;
          Tue, 23 Sep 1997 16:06:56 +1000 (EST)
Message-Id: <199709230606.QAA00814@polya.blah.org>
Date: Tue, 23 Sep 1997 16:06:56 +1000 (EST)
From: Ada T Lim <ada@not-enough.bandwidth.org>
Reply-To: ada@not-enough.bandwidth.org
To: FreeBSD-gnats-submit@FreeBSD.ORG
Cc: dholland@burgundy.eecs.harvard.edu
X-Send-Pr-Version: 3.2
Subject: bin/4610: potential buffer overrun in bootparamd
Sender: owner-freebsd-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         4610
>Category:       bin
>Synopsis:       potential buffer overrun in bootparamd
>Confidential:   yes
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 22 23:10:01 PDT 1997
>Last-Modified:
>Originator:     Ada T Lim
>Organization:
>Release:        FreeBSD 2.2-STABLE i386
>Environment:

>Description:

bootparamd copies h_name into askname, a statically sized buffer of 255
bytes.  MAXHOSTNAMELEN is 256 bytes.

patch written by David Holland (dholland@burgundy.eecs.harvard.edu)

>How-To-Repeat:
>Fix:
--- bootparamd.c.dist   Tue Sep 23 01:33:56 1997
+++ bootparamd.c        Tue Sep 23 01:39:26 1997
@@ -68,7 +68,9 @@
   if (debug) warnx("this is host %s", he->h_name);
   if (dolog) syslog(LOG_NOTICE,"This is host %s\n", he->h_name);

-  strcpy(askname, he->h_name);
+  strncpy(askname, he->h_name, sizeof(askname));
+  askname[sizeof(askname)-1] = 0;
+
   if (checkhost(askname, hostname) ) {
     res.client_name = hostname;
     getdomainname(domain_name, MAX_MACHINE_NAME);
@@ -123,7 +125,9 @@
   he = gethostbyname(getfile->client_name);
   if (! he ) goto failed;

-  strcpy(askname,he->h_name);
+  strncpy(askname, he->h_name, sizeof(askname));
+  askname[sizeof(askname)-1] = 0;
+
   if (getthefile(askname, getfile->file_id,buffer)) {
     if ( (where = index(buffer,':')) ) {
       /* buffer is re-written to contain the name of the info of file */
@@ -314,7 +318,8 @@
         he = gethostbyname(askname);
         if (he && !strcmp(askname, he->h_name)) {
          res = 1;
-         sprintf(hostname,"%s", he->h_name);
+         // XXX the length should really be an arg to this function...
+         snprintf(hostname, MAX_MACHINE_NAME, "%s", he->h_name);
        }
       }
       if (fclose(bpf))

>Audit-Trail:
>Unformatted: