Skip site navigation (1)Skip section navigation (2) 
Date:      11 Aug 1999 17:23:33 +0200
From:      Dag-Erling Smorgrav <des@flood.ping.uio.no>
To:        Archie Cobbs <archie@whistle.com>
Cc:        igusarov@chat.ru (Igor Gousarov), freebsd-hackers@FreeBSD.ORG
Subject:   Re: Unsafe code in libc  in  3.0-RELEASE FreeBSD i386
Message-ID:  <xzpemhauyru.fsf@flood.ping.uio.no>
In-Reply-To: Archie Cobbs's message of "Tue, 9 Feb 1999 08:20:27 -0800 (PST)"
References:  <199902091620.IAA32532@bubba.whistle.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Archie Cobbs <archie@whistle.com> writes:
> Igor Gousarov writes:
> > The source file for setlocale function (/usr/src/lib/libc/locale/setlocale.c)
> > contains the line which might put libc into infinite loop:
> > [...]
> Please file a PR to make sure that this doesn't "slip through
> the cracks"...

It seems to have slipped through the cracks. Good thing I had a
process mark on this message. What do you think of the attached patch
(against -CURRENT)?

I think there's still a possibility of new_categories being overrun,
since there's no bounds checking on i in the do ... while (*locale)
loop. I suggest that a careful audit by somebody who knows this code
(or at least knows what it's supposed to do).

DES
-- 
Dag-Erling Smorgrav - des@flood.ping.uio.no

Index: src/lib/libc/locale/setlocale.c
===================================================================
RCS file: /home/ncvs/src/lib/libc/locale/setlocale.c,v
retrieving revision 1.23
diff -u -r1.23 setlocale.c
--- setlocale.c	1998/04/29 22:39:56	1.23
+++ setlocale.c	1999/08/11 15:21:05
@@ -156,9 +156,11 @@
 				new_categories[i][ENCODING_LEN] = '\0';
 			}
 		} else {
-			for (i = 1; r[1] == '/'; ++r);
+			while (r[1] == '/')
+				++r;
 			if (!r[1])
 				return (NULL);	/* Hmm, just slashes... */
+			i = 1;
 			do {
 				len = r - locale > ENCODING_LEN ? ENCODING_LEN : r - locale;
 				(void)strncpy(new_categories[i], locale, len);
@@ -169,13 +171,13 @@
 				    ++locale;
 				while (*++r && *r != '/');
 			} while (*locale);
-			while (i < _LC_LAST)
+			for (; i < _LC_LAST; ++i)
 				(void)strcpy(new_categories[i],
 				    new_categories[i-1]);
 		}
 	}
 
-	if (category)
+	if (category != LC_ALL)
 		return (loadlocale(category));
 
 	for (i = 1; i < _LC_LAST; ++i) {


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpemhauyru.fsf>