From owner-freebsd-bugs Sun Mar 2 9:20:17 2003 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D5FB37B401 for ; Sun, 2 Mar 2003 09:20:14 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5AD6343FBD for ; Sun, 2 Mar 2003 09:20:12 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h22HKCNS086390 for ; Sun, 2 Mar 2003 09:20:12 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h22HKCaW086389; Sun, 2 Mar 2003 09:20:12 -0800 (PST) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B5D6B37B401 for ; Sun, 2 Mar 2003 09:16:25 -0800 (PST) Received: from skalman.campus.luth.se (skalman.campus.luth.se [130.240.197.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 837E543FB1 for ; Sun, 2 Mar 2003 09:16:24 -0800 (PST) (envelope-from pj@skalman.campus.luth.se) Received: from skalman.campus.luth.se (localhost [127.0.0.1]) by skalman.campus.luth.se (8.12.7/8.12.7) with ESMTP id h22HGMss010662 for ; Sun, 2 Mar 2003 18:16:22 +0100 (CET) (envelope-from pj@skalman.campus.luth.se) Received: (from pj@localhost) by skalman.campus.luth.se (8.12.7/8.12.7/Submit) id h22HGMFt010661; Sun, 2 Mar 2003 18:16:22 +0100 (CET) Message-Id: <200303021716.h22HGMFt010661@skalman.campus.luth.se> Date: Sun, 2 Mar 2003 18:16:22 +0100 (CET) From: Peter A Jonsson Reply-To: Peter A Jonsson To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: bin/48844: Missing error checks in gzprintf. Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 48844 >Category: bin >Synopsis: Missing error checks in gzprintf. >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Mar 02 09:20:11 PST 2003 >Closed-Date: >Last-Modified: >Originator: Peter A Jonsson >Release: FreeBSD 5.0-CURRENT i386 >Organization: none. >Environment: System: FreeBSD skalman.campus.luth.se 5.0-CURRENT FreeBSD 5.0-CURRENT #9: Fri Feb 28 18:06:40 CET 2003 pantzer@skalman.campus.luth.se:/usr/obj/usr/src/sys/SKALMAN i386 >Description: In src/lib/libz/gzio.c the function gzprintf does not check if the amount of bytes (supposed to be) written by vsnprintf exceeds the size of the buffer. >How-To-Repeat: N/A >Fix: From OpenBSD: Index: gzio.c =================================================================== RCS file: /home/ncvs/src/lib/libz/gzio.c,v retrieving revision 1.8 diff -u -r1.8 gzio.c --- gzio.c 11 Mar 2002 22:36:26 -0000 1.8 +++ gzio.c 2 Mar 2003 17:05:48 -0000 @@ -531,13 +531,13 @@ va_start(va, format); #ifdef HAS_vsnprintf - (void)vsnprintf(buf, sizeof(buf), format, va); + len = vsnprintf(buf, sizeof(buf), format, va); #else (void)vsprintf(buf, format, va); + len = strlen(buf); /* some *sprintf don't return the nb of bytes written */ #endif va_end(va); - len = strlen(buf); /* some *sprintf don't return the nb of bytes written */ - if (len <= 0) return 0; + if (len <= 0 || len >= sizeof(buf)) return 0; return gzwrite(file, buf, (unsigned)len); } @@ -554,14 +554,14 @@ int len; #ifdef HAS_snprintf - snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8, + len = snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20); #else sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20); -#endif len = strlen(buf); /* old sprintf doesn't return the nb of bytes written */ - if (len <= 0) return 0; +#endif + if (len <= 0 || len >= sizeof(buf)) return 0; return gzwrite(file, buf, len); } >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message