Skip site navigation (1)Skip section navigation (2) 
Date:      18 Jan 2000 19:04:39 -0000
From:      venglin@lubi.FreeBSD.lublin.pl
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/16186: [PATCH] Insecure use of strncpy() and strcpy() in lpr(1)
Message-ID:  <20000118190439.1230.qmail@lubi.FreeBSD.lublin.pl>
next in thread | raw e-mail | index | archive | help 


>Number:         16186
>Category:       bin
>Synopsis:       [PATCH] Insecure use of strncpy() and strcpy() in lpr(1)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 18 11:10:02 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Przemyslaw Frasunek
>Release:        FreeBSD 3.4-STABLE i386
>Organization:
Lublin BSD Users Group
>Environment:

FreeBSD lagoon.freebsd.lublin.pl 3.4-STABLE FreeBSD 3.4-STABLE #0: Sat Dec 18 17:37:37 CET 1999     root@:/usr/sys/compile/LAGOON  i386

>Description:

	1. Possible strcpy() buffer overflow in printjob.c:823
	2. No room for NULL termination in printjob.c:825, printjob.c:827,
	   printjob.c:836.

>How-To-Repeat:

>Fix:
	
--- printjob.c.orig	Tue Jan 18 19:34:50 2000
+++ printjob.c	Tue Jan 18 19:39:23 2000
@@ -818,24 +818,30 @@
 			i = 0;
 			while (*cp >= '0' && *cp <= '9')
 				i = i * 10 + (*cp++ - '0');
 			fino = i;
 		} else if (line[0] == 'H') {
-			strcpy(fromhost, line+1);
+			strncpy(fromhost, line+1, sizeof(fromhost) - 1);
+			fromhost[sizeof(fromhost)-1] = '\0';
 			if (class[0] == '\0')
+			{
 				strncpy(class, line+1, sizeof(class) - 1);
+				class[sizeof(class)-1] = '\0';
+			}
 		} else if (line[0] == 'P') {
 			strncpy(logname, line+1, sizeof(logname) - 1);
+			logname[sizeof(logname)-1] = '\0';
 			if (pp->restricted) { /* restricted */
 				if (getpwnam(logname) == NULL) {
 					sendmail(pp, line+1, NOACCT);
 					err = ERROR;
 					break;
 				}
 			}
 		} else if (line[0] == 'I') {
 			strncpy(indent+2, line+1, sizeof(indent) - 3);
+			indent[2+sizeof(indent)-3] = '\0';
 		} else if (line[0] >= 'a' && line[0] <= 'z') {
 			strcpy(last, line);
 			while ((i = getline(cfp)) != 0)
 				if (strcmp(last, line))
 					break;

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000118190439.1230.qmail>