Date: Thu, 7 Feb 2002 12:35:27 +1100 From: "Tim J. Robbins" <tim@robbins.dropbear.id.au> To: biometrix <bio.metrix@gte.net> Cc: audit@FreeBSD.ORG Subject: Re: tmpfile() libc call causes buffer overflow? Message-ID: <20020207123527.B425@descent.robbins.dropbear.id.au> In-Reply-To: <20020207010159.EFLX12982.out008.verizon.net@there>; from bio.metrix@gte.net on Tue, Feb 05, 2002 at 07:05:30PM %2B0000 References: <20020207010159.EFLX12982.out008.verizon.net@there>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 05, 2002 at 07:05:30PM +0000, biometrix wrote:
> The code executed just before the segmentation fault is :
>
> if ((err = tmpfile()) == NULL) {
> (void)fputs("Cannot defer diagnosticm
> essages\n",stderr);
> return(1);
> }
This is a bug in pr. Its usage() function writes to `err', which is NULL
at this point, instead of stderr. tmpfile() returns NULL because it can't
create a temporary file in a directory that doesn't exist (the length of
TMPDIR does not matter at all, it can even be empty). There is no buffer
overflow here.
Index: pr/pr.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/pr/pr.c,v
retrieving revision 1.11
diff -u -r1.11 pr.c
--- pr/pr.c 2001/03/21 14:32:02 1.11
+++ pr/pr.c 2002/02/07 01:38:18
@@ -1561,11 +1561,11 @@
usage()
{
(void)fputs(
- "usage: pr [+page] [-col] [-adFmrt] [-e[ch][gap]] [-h header]\n",err);
+"usage: pr [+page] [-col] [-adFmrt] [-e[ch][gap]] [-h header]\n", stderr);
(void)fputs(
- " [-i[ch][gap]] [-l line] [-n[ch][width]] [-o offset]\n",err);
- (void)fputs(
- " [-L locale] [-s[ch]] [-w width] [-] [file ...]\n", err);
+" [-i[ch][gap]] [-l line] [-n[ch][width]] [-o offset]\n", stderr);
+(void)fputs(
+" [-L locale] [-s[ch]] [-w width] [-] [file ...]\n", stderr);
}
/*
Tim
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020207123527.B425>