Date: Tue, 5 Oct 1999 09:47:02 +1000 From: Peter Jeremy <peter.jeremy@alcatel.com.au> To: Thomas David Rivers <rivers@dignus.com> Cc: gnats-admin@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG Subject: Re: bin/14069: Buffer overflow in mail(1) Message-ID: <99Oct5.094346est.40334@border.alcanet.com.au> In-Reply-To: <199910011110.HAA03024@lakes.dignus.com> References: <99Oct1.143612est.40354@border.alcanet.com.au> <199910011110.HAA03024@lakes.dignus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1999-Oct-10 21:10:46 +1000, Thomas David Rivers wrote: > char *bufend; > int gotlt, lastsp; >- char nbuf[BUFSIZ]; >+ char *nbuf = alloca(strlen(name)); > ^^^^^^^^^^^^ > > Looking at the code, I believe it might be possible for the > result length to be strlen(name) + 1. Ooops. I think I blew it. I didn't work through the code in detail and I'm sure it should be char *nbuf = alloca(strlen(name) + 1); In any case, that was not really intended as a final fix. There appear to be lots of potential buffer overflows in mail(1). I don't really have the stomach for checking them all at present. Peter -- Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 9690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 9690 5982 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?99Oct5.094346est.40334>