From owner-freebsd-audit Sun Jan 6 20:34:16 2002 Delivered-To: freebsd-audit@freebsd.org Received: from mta0x15.coxmail.com (cm-fe1.coxmail.com [206.157.225.48]) by hub.freebsd.org (Postfix) with ESMTP id 2FC1337B417 for ; Sun, 6 Jan 2002 20:34:06 -0800 (PST) Received: from enterprise.muriel.penguinpowered.com ([209.249.174.31]) by mta0x15.coxmail.com (InterMail vK.4.03.04.01 201-232-130-101 license 6e1a3d42bf0668978482829d4ed8437d) with ESMTP id <20020107043347.VPF1821.mta0x15@enterprise.muriel.penguinpowered.com> for ; Sun, 6 Jan 2002 23:33:47 -0500 Message-ID: X-Mailer: XFMail 1.5.2 on FreeBSD X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="_=XFMail.1.5.2.FreeBSD:20020106233313:192=_" Date: Sun, 06 Jan 2002 23:33:13 -0500 (EST) Reply-To: Mike Heffner From: Mike Heffner To: FreeBSD-audit Subject: Fwd: Re: bin/19422: users can overflow argv to make ps segfault Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This message is in MIME format --_=XFMail.1.5.2.FreeBSD:20020106233313:192=_ Content-Type: text/plain; charset=us-ascii I'm resending this patch to -audit since I didn't get much response on -bugs, and that the patch is somewhat ugly. Does anyone notice anything wrong with the attached patch? Otherwise, I will commit it shortly. Thanks, -----Fwd: ----- Date: Tue, 11 Dec 2001 23:18:54 -0500 (EST) Sender: owner-freebsd-bugs@FreeBSD.ORG From: Mike Heffner To: freebsd-gnats-submit@FreeBSD.ORG Subject: Re: bin/19422: users can overflow argv to make ps segfault Cc: Marc Olzheim , FreeBSD-bugs Well, I've looked at this a little more. I was able to reproduce it (it took a few times though). Unfortunately, the patch isn't as simple as the one in the PR. Could you please try the attached patch? There is still a problem though, and that is that the strlen()s can seg. fault if the argv[] strings aren't NULL terminated - I don't know how to fix this problem though :( Mike -- Mike Heffner Blacksburg, VA --------------End of forwarded message------------------------- Mike -- Mike Heffner Fredericksburg, VA --_=XFMail.1.5.2.FreeBSD:20020106233313:192=_ Content-type: text/plain; SizeOnDisk=908; name=ps.argoflow.diff; charset=us-ascii Content-description: ps.argoflow.diff Content-disposition: attachment; filename=ps.argoflow.diff Content-transfer-encoding: 7bit Index: fmt.c =================================================================== RCS file: /home/ncvs/src/bin/ps/fmt.c,v retrieving revision 1.14 diff -u -r1.14 fmt.c --- fmt.c 27 Aug 1999 23:14:51 -0000 1.14 +++ fmt.c 12 Dec 2001 04:12:24 -0000 @@ -61,7 +61,8 @@ shquote(argv) char **argv; { - long arg_max; + static long arg_max = -1; + long len; char **p, *dst, *src; static char *buf = NULL; @@ -80,13 +81,16 @@ for (p = argv; (src = *p++) != 0; ) { if (*src == 0) continue; - strvis(dst, src, VIS_NL | VIS_CSTYLE); + len = (4 * arg_max - (dst - buf)) / 4; + strvisx(dst, src, strlen(src) < len ? strlen(src) : len, + VIS_NL | VIS_CSTYLE); while (*dst) dst++; - *dst++ = ' '; + if ((4 * arg_max - (dst - buf)) / 4 > 0) + *dst++ = ' '; } /* Chop off trailing space */ - if (dst != buf) + if (dst != buf && dst[-1] == ' ') dst--; *dst = '\0'; return (buf); --_=XFMail.1.5.2.FreeBSD:20020106233313:192=_-- End of MIME message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message