From owner-freebsd-bugs  Sat Oct 23  6:47:36 1999
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id 4038314DDB
	for <freebsd-bugs@FreeBSD.org>; Sat, 23 Oct 1999 06:47:19 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id GAA88815;
	Sat, 23 Oct 1999 06:47:19 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from internal.mail.demon.net (internal.mail.demon.net [193.195.224.3])
	by hub.freebsd.org (Postfix) with ESMTP id 2B73814D02
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 22 Oct 1999 11:31:47 -0700 (PDT)
	(envelope-from fanf@demon.net)
Received: from fanf.eng.demon.net (fanf.eng.demon.net [195.11.55.89])
	by internal.mail.demon.net with ESMTP id TAA04935;
	Fri, 22 Oct 1999 19:31:45 +0100 (BST)
Received: from fanf by fanf.eng.demon.net with local (Exim 3.03 #2)
	id 11ejT9-0005Sg-00
	for FreeBSD-gnats-submit@freebsd.org; Fri, 22 Oct 1999 19:31:15 +0100
Message-Id: <E11ejT9-0005Sg-00@fanf.eng.demon.net>
Date: Fri, 22 Oct 1999 19:31:15 +0100
From: Tony Finch <fanf@demon.net>
Reply-To: fanf@demon.net
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: bin/14465: vipw has dodgy string handling
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         14465
>Category:       bin
>Synopsis:       vipw depends upon malloc() returning zero-filled memory
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Oct 23 06:47:19 PDT 1999
>Closed-Date:
>Last-Modified:
>Originator:     Tony Finch
>Release:        FreeBSD 3.3-STABLE-19990927 i386
>Organization:
Demon Internet Ltd
>Environment:

FreeBSD fanf.eng.demon.net 3.3-STABLE-19990927 FreeBSD 3.3-STABLE-19990927 #14: Mon Sep 27 02:50:55 BST 1999     root@fanf.eng.demon.net:/usr/src/sys/compile/DELL-PREC410  i386

>Description:

If vipw is invoked like `vipw -d /some/directory/not/ending/in/slash`
then it replaces the terminating '\0' with '/' before calling strcat.
This would cause heap corruption if malloc() didn't happen to return a
block of zeroes.

>How-To-Repeat:

>Fix:
	
--- /usr/src/usr.sbin/vipw/vipw.c.orig	Fri Oct 22 19:24:51 1999
+++ /usr/src/usr.sbin/vipw/vipw.c	Fri Oct 22 19:25:51 1999
@@ -81,8 +81,9 @@
 				err(1, NULL);
 			strcpy(masterpasswd, optarg);
 			if (masterpasswd[strlen(masterpasswd) - 1] != '/')
-				masterpasswd[strlen(masterpasswd)] = '/';
-			strcat(masterpasswd, _MASTERPASSWD);
+				strcat(masterpasswd, "/" _MASTERPASSWD);
+			else
+				strcat(masterpasswd, _MASTERPASSWD);
 			if ((mppath = strdup(optarg)) == NULL)
 				err(1, NULL);
 			if (mppath[strlen(mppath) - 1] == '/')

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message