Date: Thu, 7 Feb 2002 12:35:27 +1100 From: "Tim J. Robbins" <tim@robbins.dropbear.id.au> To: biometrix <bio.metrix@gte.net> Cc: audit@FreeBSD.ORG Subject: Re: tmpfile() libc call causes buffer overflow? Message-ID: <20020207123527.B425@descent.robbins.dropbear.id.au> In-Reply-To: <20020207010159.EFLX12982.out008.verizon.net@there>; from bio.metrix@gte.net on Tue, Feb 05, 2002 at 07:05:30PM %2B0000 References: <20020207010159.EFLX12982.out008.verizon.net@there>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 05, 2002 at 07:05:30PM +0000, biometrix wrote: > The code executed just before the segmentation fault is : > > if ((err = tmpfile()) == NULL) { > (void)fputs("Cannot defer diagnosticm > essages\n",stderr); > return(1); > } This is a bug in pr. Its usage() function writes to `err', which is NULL at this point, instead of stderr. tmpfile() returns NULL because it can't create a temporary file in a directory that doesn't exist (the length of TMPDIR does not matter at all, it can even be empty). There is no buffer overflow here. Index: pr/pr.c =================================================================== RCS file: /home/ncvs/src/usr.bin/pr/pr.c,v retrieving revision 1.11 diff -u -r1.11 pr.c --- pr/pr.c 2001/03/21 14:32:02 1.11 +++ pr/pr.c 2002/02/07 01:38:18 @@ -1561,11 +1561,11 @@ usage() { (void)fputs( - "usage: pr [+page] [-col] [-adFmrt] [-e[ch][gap]] [-h header]\n",err); +"usage: pr [+page] [-col] [-adFmrt] [-e[ch][gap]] [-h header]\n", stderr); (void)fputs( - " [-i[ch][gap]] [-l line] [-n[ch][width]] [-o offset]\n",err); - (void)fputs( - " [-L locale] [-s[ch]] [-w width] [-] [file ...]\n", err); +" [-i[ch][gap]] [-l line] [-n[ch][width]] [-o offset]\n", stderr); +(void)fputs( +" [-L locale] [-s[ch]] [-w width] [-] [file ...]\n", stderr); } /* Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020207123527.B425>