From owner-freebsd-hackers  Wed Aug 11  8:24: 1 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by hub.freebsd.org (Postfix) with ESMTP id A7C2514CE9
	for <freebsd-hackers@FreeBSD.ORG>; Wed, 11 Aug 1999 08:23:54 -0700 (PDT)
	(envelope-from des@flood.ping.uio.no)
Received: (from des@localhost)
	by flood.ping.uio.no (8.9.3/8.9.3) id RAA12678;
	Wed, 11 Aug 1999 17:23:34 +0200 (CEST)
	(envelope-from des)
To: Archie Cobbs <archie@whistle.com>
Cc: igusarov@chat.ru (Igor Gousarov), freebsd-hackers@FreeBSD.ORG
Subject: Re: Unsafe code in libc  in  3.0-RELEASE FreeBSD i386
References: <199902091620.IAA32532@bubba.whistle.com>
From: Dag-Erling Smorgrav <des@flood.ping.uio.no>
Date: 11 Aug 1999 17:23:33 +0200
In-Reply-To: Archie Cobbs's message of "Tue, 9 Feb 1999 08:20:27 -0800 (PST)"
Message-ID: <xzpemhauyru.fsf@flood.ping.uio.no>
Lines: 57
X-Mailer: Gnus v5.5/Emacs 19.34
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Archie Cobbs <archie@whistle.com> writes:
> Igor Gousarov writes:
> > The source file for setlocale function (/usr/src/lib/libc/locale/setlocale.c)
> > contains the line which might put libc into infinite loop:
> > [...]
> Please file a PR to make sure that this doesn't "slip through
> the cracks"...

It seems to have slipped through the cracks. Good thing I had a
process mark on this message. What do you think of the attached patch
(against -CURRENT)?

I think there's still a possibility of new_categories being overrun,
since there's no bounds checking on i in the do ... while (*locale)
loop. I suggest that a careful audit by somebody who knows this code
(or at least knows what it's supposed to do).

DES
-- 
Dag-Erling Smorgrav - des@flood.ping.uio.no

Index: src/lib/libc/locale/setlocale.c
===================================================================
RCS file: /home/ncvs/src/lib/libc/locale/setlocale.c,v
retrieving revision 1.23
diff -u -r1.23 setlocale.c
--- setlocale.c	1998/04/29 22:39:56	1.23
+++ setlocale.c	1999/08/11 15:21:05
@@ -156,9 +156,11 @@
 				new_categories[i][ENCODING_LEN] = '\0';
 			}
 		} else {
-			for (i = 1; r[1] == '/'; ++r);
+			while (r[1] == '/')
+				++r;
 			if (!r[1])
 				return (NULL);	/* Hmm, just slashes... */
+			i = 1;
 			do {
 				len = r - locale > ENCODING_LEN ? ENCODING_LEN : r - locale;
 				(void)strncpy(new_categories[i], locale, len);
@@ -169,13 +171,13 @@
 				    ++locale;
 				while (*++r && *r != '/');
 			} while (*locale);
-			while (i < _LC_LAST)
+			for (; i < _LC_LAST; ++i)
 				(void)strcpy(new_categories[i],
 				    new_categories[i-1]);
 		}
 	}
 
-	if (category)
+	if (category != LC_ALL)
 		return (loadlocale(category));
 
 	for (i = 1; i < _LC_LAST; ++i) {


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message