From owner-freebsd-hackers Wed Aug 11 8:24: 1 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id A7C2514CE9 for ; Wed, 11 Aug 1999 08:23:54 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id RAA12678; Wed, 11 Aug 1999 17:23:34 +0200 (CEST) (envelope-from des) To: Archie Cobbs Cc: igusarov@chat.ru (Igor Gousarov), freebsd-hackers@FreeBSD.ORG Subject: Re: Unsafe code in libc in 3.0-RELEASE FreeBSD i386 References: <199902091620.IAA32532@bubba.whistle.com> From: Dag-Erling Smorgrav Date: 11 Aug 1999 17:23:33 +0200 In-Reply-To: Archie Cobbs's message of "Tue, 9 Feb 1999 08:20:27 -0800 (PST)" Message-ID: Lines: 57 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Archie Cobbs writes: > Igor Gousarov writes: > > The source file for setlocale function (/usr/src/lib/libc/locale/setlocale.c) > > contains the line which might put libc into infinite loop: > > [...] > Please file a PR to make sure that this doesn't "slip through > the cracks"... It seems to have slipped through the cracks. Good thing I had a process mark on this message. What do you think of the attached patch (against -CURRENT)? I think there's still a possibility of new_categories being overrun, since there's no bounds checking on i in the do ... while (*locale) loop. I suggest that a careful audit by somebody who knows this code (or at least knows what it's supposed to do). DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no Index: src/lib/libc/locale/setlocale.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/setlocale.c,v retrieving revision 1.23 diff -u -r1.23 setlocale.c --- setlocale.c 1998/04/29 22:39:56 1.23 +++ setlocale.c 1999/08/11 15:21:05 @@ -156,9 +156,11 @@ new_categories[i][ENCODING_LEN] = '\0'; } } else { - for (i = 1; r[1] == '/'; ++r); + while (r[1] == '/') + ++r; if (!r[1]) return (NULL); /* Hmm, just slashes... */ + i = 1; do { len = r - locale > ENCODING_LEN ? ENCODING_LEN : r - locale; (void)strncpy(new_categories[i], locale, len); @@ -169,13 +171,13 @@ ++locale; while (*++r && *r != '/'); } while (*locale); - while (i < _LC_LAST) + for (; i < _LC_LAST; ++i) (void)strcpy(new_categories[i], new_categories[i-1]); } } - if (category) + if (category != LC_ALL) return (loadlocale(category)); for (i = 1; i < _LC_LAST; ++i) { To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message