Date: Sun, 06 Jan 2002 23:33:13 -0500 (EST) From: Mike Heffner <mheffner@novacoxmail.com> To: FreeBSD-audit <FreeBSD-audit@freebsd.org> Subject: Fwd: Re: bin/19422: users can overflow argv to make ps segfault Message-ID: <XFMail.20020106233313.mheffner@novacoxmail.com>
next in thread | raw e-mail | index | archive | help
This message is in MIME format
--_=XFMail.1.5.2.FreeBSD:20020106233313:192=_
Content-Type: text/plain; charset=us-ascii
I'm resending this patch to -audit since I didn't get much response on
-bugs, and that the patch is somewhat ugly. Does anyone notice anything
wrong with the attached patch? Otherwise, I will commit it shortly.
Thanks,
-----Fwd: <XFMail.20011211231854.mheffner@vt.edu>-----
Date: Tue, 11 Dec 2001 23:18:54 -0500 (EST)
Sender: owner-freebsd-bugs@FreeBSD.ORG
From: Mike Heffner <mheffner@vt.edu>
To: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: bin/19422: users can overflow argv to make ps segfault
Cc: Marc Olzheim <marcolz@ilse.nl>, FreeBSD-bugs <freebsd-bugs@FreeBSD.ORG>
Well, I've looked at this a little more. I was able to reproduce it (it
took a few times though). Unfortunately, the patch isn't as simple as the
one in the PR. Could you please try the attached patch? There is still a
problem though, and that is that the strlen()s can seg. fault if the
argv[] strings aren't NULL terminated - I don't know how to fix this
problem though :(
Mike
--
Mike Heffner <mheffner@[acm.]vt.edu>
Blacksburg, VA <mikeh@FreeBSD.org>
--------------End of forwarded message-------------------------
Mike
--
Mike Heffner <mheffner@[acm.]vt.edu>
Fredericksburg, VA <mikeh@FreeBSD.org>
--_=XFMail.1.5.2.FreeBSD:20020106233313:192=_
Content-type: text/plain;
SizeOnDisk=908; name=ps.argoflow.diff; charset=us-ascii
Content-description: ps.argoflow.diff
Content-disposition: attachment; filename=ps.argoflow.diff
Content-transfer-encoding: 7bit
Index: fmt.c
===================================================================
RCS file: /home/ncvs/src/bin/ps/fmt.c,v
retrieving revision 1.14
diff -u -r1.14 fmt.c
--- fmt.c 27 Aug 1999 23:14:51 -0000 1.14
+++ fmt.c 12 Dec 2001 04:12:24 -0000
@@ -61,7 +61,8 @@
shquote(argv)
char **argv;
{
- long arg_max;
+ static long arg_max = -1;
+ long len;
char **p, *dst, *src;
static char *buf = NULL;
@@ -80,13 +81,16 @@
for (p = argv; (src = *p++) != 0; ) {
if (*src == 0)
continue;
- strvis(dst, src, VIS_NL | VIS_CSTYLE);
+ len = (4 * arg_max - (dst - buf)) / 4;
+ strvisx(dst, src, strlen(src) < len ? strlen(src) : len,
+ VIS_NL | VIS_CSTYLE);
while (*dst)
dst++;
- *dst++ = ' ';
+ if ((4 * arg_max - (dst - buf)) / 4 > 0)
+ *dst++ = ' ';
}
/* Chop off trailing space */
- if (dst != buf)
+ if (dst != buf && dst[-1] == ' ')
dst--;
*dst = '\0';
return (buf);
--_=XFMail.1.5.2.FreeBSD:20020106233313:192=_--
End of MIME message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.20020106233313.mheffner>