From owner-freebsd-bugs Tue Jan 18 11:10:15 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 9280F1504E for ; Tue, 18 Jan 2000 11:10:04 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id LAA13245; Tue, 18 Jan 2000 11:10:03 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from mx1.lublin.pl (mx1.lublin.pl [212.182.63.76]) by hub.freebsd.org (Postfix) with ESMTP id 5B23D14EE2 for ; Tue, 18 Jan 2000 11:05:13 -0800 (PST) (envelope-from venglin@lubi.FreeBSD.lublin.pl) Received: from lubi.freebsd.lublin.pl ([212.182.118.90]:13060 "HELO lubi.FreeBSD.lublin.pl") by krupik.man.lublin.pl with SMTP id ; Tue, 18 Jan 2000 20:04:45 +0100 Received: (qmail 1231 invoked by uid 1001); 18 Jan 2000 19:04:39 -0000 Message-Id: <20000118190439.1230.qmail@lubi.FreeBSD.lublin.pl> Date: 18 Jan 2000 19:04:39 -0000 From: venglin@lubi.FreeBSD.lublin.pl Reply-To: venglin@lubi.FreeBSD.lublin.pl To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/16186: [PATCH] Insecure use of strncpy() and strcpy() in lpr(1) Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 16186 >Category: bin >Synopsis: [PATCH] Insecure use of strncpy() and strcpy() in lpr(1) >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jan 18 11:10:02 PST 2000 >Closed-Date: >Last-Modified: >Originator: Przemyslaw Frasunek >Release: FreeBSD 3.4-STABLE i386 >Organization: Lublin BSD Users Group >Environment: FreeBSD lagoon.freebsd.lublin.pl 3.4-STABLE FreeBSD 3.4-STABLE #0: Sat Dec 18 17:37:37 CET 1999 root@:/usr/sys/compile/LAGOON i386 >Description: 1. Possible strcpy() buffer overflow in printjob.c:823 2. No room for NULL termination in printjob.c:825, printjob.c:827, printjob.c:836. >How-To-Repeat: >Fix: --- printjob.c.orig Tue Jan 18 19:34:50 2000 +++ printjob.c Tue Jan 18 19:39:23 2000 @@ -818,24 +818,30 @@ i = 0; while (*cp >= '0' && *cp <= '9') i = i * 10 + (*cp++ - '0'); fino = i; } else if (line[0] == 'H') { - strcpy(fromhost, line+1); + strncpy(fromhost, line+1, sizeof(fromhost) - 1); + fromhost[sizeof(fromhost)-1] = '\0'; if (class[0] == '\0') + { strncpy(class, line+1, sizeof(class) - 1); + class[sizeof(class)-1] = '\0'; + } } else if (line[0] == 'P') { strncpy(logname, line+1, sizeof(logname) - 1); + logname[sizeof(logname)-1] = '\0'; if (pp->restricted) { /* restricted */ if (getpwnam(logname) == NULL) { sendmail(pp, line+1, NOACCT); err = ERROR; break; } } } else if (line[0] == 'I') { strncpy(indent+2, line+1, sizeof(indent) - 3); + indent[2+sizeof(indent)-3] = '\0'; } else if (line[0] >= 'a' && line[0] <= 'z') { strcpy(last, line); while ((i = getline(cfp)) != 0) if (strcmp(last, line)) break; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message