From owner-freebsd-bugs  Wed Oct 16 16:40:06 1996
Return-Path: owner-bugs
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id QAA15603
          for bugs-outgoing; Wed, 16 Oct 1996 16:40:06 -0700 (PDT)
Received: (from gnats@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id QAA15577;
          Wed, 16 Oct 1996 16:40:03 -0700 (PDT)
Resent-Date: Wed, 16 Oct 1996 16:40:03 -0700 (PDT)
Resent-Message-Id: <199610162340.QAA15577@freefall.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, karl@mcs.net
Received: from Codebase.mcs.net (codebase.mcs.net [192.160.127.89])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA15521
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 16 Oct 1996 16:39:31 -0700 (PDT)
Received: (from root@localhost) by Codebase.mcs.net (8.7.6/8.6.12) id SAA02876; Wed, 16 Oct 1996 18:39:30 -0500 (CDT)
Message-Id: <199610162339.SAA02876@Codebase.mcs.net>
Date: Wed, 16 Oct 1996 18:39:30 -0500 (CDT)
From: karl@mcs.net
Reply-To: karl@mcs.net
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: bin/1826: Bug in libc/gen/getcwd.c - null missing on end of string
Sender: owner-bugs@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         1826
>Category:       bin
>Synopsis:       A null byte is not being added on the end of current directory
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 16 16:40:01 PDT 1996
>Last-Modified:
>Originator:     Karl
>Organization:
MCSNet
>Release:        FreeBSD 2.2-961004-SNAP i386
>Environment:

	libc.so problem; present in 2.2-961004-SNAP and likely up to now

>Description:

	The getcwd() routine builds a string of parent directories 
	(ie: "../") as it walks up the directory structure.  When the "/"
	is added on, a null is not -- the buffer is malloc'd and as such
	is NOT guaranteed to be full of nulls!   We should guarantee that
	the string being opened (opendir()) is in fact null terminated.
	

>How-To-Repeat:

	Instrument getcwd() and trace what it tries to open under all
	conditions.  You'll see random buffer data present.

>Fix:
	

Index: getcwd.c
===================================================================
RCS file: /usr/cvs/src/lib/libc/gen/getcwd.c,v
retrieving revision 1.6
diff -r1.6 getcwd.c
156a157
> 		*bup = 0;	/* KSD 10/16/96 - Null was missing here ! */


-- Karl Denninger
karl@mcs.net
>Audit-Trail:
>Unformatted: