Date: Fri, 3 Dec 1999 21:35:44 -0800 (PST) From: Kris Kennaway <kris@hub.freebsd.org> To: audit@freebsd.org Subject: Buffer overflows in libc (yp) Message-ID: <Pine.BSF.4.21.9912032127370.19005-100000@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
Can someone take a look over the attached patch against
lib/libc/yp/yplib.c, which fixes two buffer overflows in the YP code? This
is manifested in, e.g. 'ypcat -d $BIGBUF' which presently overflows and
smashes the stack.
Kris
Index: yp/yplib.c
===================================================================
RCS file: /home/ncvs//src/lib/libc/yp/yplib.c,v
retrieving revision 1.31
diff -u -r1.31 yplib.c
--- yplib.c 1999/08/28 00:02:58 1.31
+++ yplib.c 1999/12/04 05:23:10
@@ -29,7 +29,7 @@
*/
#ifndef LINT
-static char *rcsid = "$FreeBSD$";
+static char *rcsid = "$FreeBSD: src/lib/libc/yp/yplib.c,v 1.31 1999/08/28 00:02:58 peter Exp $";
#endif
#include <sys/param.h>
@@ -372,7 +372,7 @@
ysd->dom_client = NULL;
ysd->dom_socket = -1;
}
- sprintf(path, "%s/%s.%d", BINDINGDIR, dom, 2);
+ snprintf(path, sizeof(path), "%s/%s.%d", BINDINGDIR, dom, 2);
if( (fd=open(path, O_RDONLY)) == -1) {
/* no binding file, YP is dead. */
/* Try to bring it back to life. */
@@ -503,7 +503,7 @@
*(u_short *)&ypbr.ypbind_resp_u.ypbind_bindinfo.ypbind_binding_port;
gotit:
ysd->dom_vers = YPVERS;
- strcpy(ysd->dom_domain, dom);
+ strlcpy(ysd->dom_domain, dom, sizeof(ysd->dom_domain)-1);
}
/* Don't rebuild the connection to the server unless we have to. */
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.9912032127370.19005-100000>