Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 06 Jan 2002 23:33:13 -0500 (EST)
From:      Mike Heffner <mheffner@novacoxmail.com>
To:        FreeBSD-audit <FreeBSD-audit@freebsd.org>
Subject:   Fwd: Re: bin/19422: users can overflow argv to make ps segfault
Message-ID:  <XFMail.20020106233313.mheffner@novacoxmail.com>
next in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]

I'm resending this patch to -audit since I didn't get much response on
-bugs, and that the patch is somewhat ugly. Does anyone notice anything
wrong with the attached patch? Otherwise, I will commit it shortly.

Thanks,


-----Fwd: <XFMail.20011211231854.mheffner@vt.edu>-----

Date: Tue, 11 Dec 2001 23:18:54 -0500 (EST)
Sender: owner-freebsd-bugs@FreeBSD.ORG
From: Mike Heffner <mheffner@vt.edu>
To: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: bin/19422: users can overflow argv to make ps segfault
Cc: Marc Olzheim <marcolz@ilse.nl>, FreeBSD-bugs <freebsd-bugs@FreeBSD.ORG>


Well, I've looked at this a little more. I was able to reproduce it (it
took a few times though). Unfortunately, the patch isn't as simple as the
one in the PR. Could you please try the attached patch? There is still a
problem though, and that is that the strlen()s can seg. fault if the
argv[] strings aren't NULL terminated - I don't know how to fix this
problem though :(

Mike

-- 
  Mike Heffner     <mheffner@[acm.]vt.edu>
  Blacksburg, VA       <mikeh@FreeBSD.org>


--------------End of forwarded message-------------------------


Mike

-- 
  Mike Heffner     <mheffner@[acm.]vt.edu>
  Fredericksburg, VA   <mikeh@FreeBSD.org>


[-- Attachment #2 --]
Index: fmt.c
===================================================================
RCS file: /home/ncvs/src/bin/ps/fmt.c,v
retrieving revision 1.14
diff -u -r1.14 fmt.c
--- fmt.c	27 Aug 1999 23:14:51 -0000	1.14
+++ fmt.c	12 Dec 2001 04:12:24 -0000
@@ -61,7 +61,8 @@
 shquote(argv)
 	char **argv;
 {
-	long arg_max;
+	static long arg_max = -1;
+	long len;
 	char **p, *dst, *src;
 	static char *buf = NULL;
 
@@ -80,13 +81,16 @@
 	for (p = argv; (src = *p++) != 0; ) {
 		if (*src == 0)
 			continue;
-		strvis(dst, src, VIS_NL | VIS_CSTYLE);
+		len = (4 * arg_max - (dst - buf)) / 4;
+		strvisx(dst, src, strlen(src) < len ? strlen(src) : len,
+		    VIS_NL | VIS_CSTYLE);
 		while (*dst)
 			dst++;
-		*dst++ = ' ';
+		if ((4 * arg_max - (dst - buf)) / 4 > 0)
+			*dst++ = ' ';
 	}
 	/* Chop off trailing space */
-	if (dst != buf)
+	if (dst != buf && dst[-1] == ' ')
 		dst--;
 	*dst = '\0';
 	return (buf);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.20020106233313.mheffner>