Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 20 Oct 2025 16:11:35 GMT
From:      Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= <des@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 3d680881f6ed - stable/15 - quot: Fix benign buffer overflow
Message-ID:  <202510201611.59KGBZ3T036299@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch stable/15 has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=3d680881f6ed2f55079aac26cf0ded307c282563

commit 3d680881f6ed2f55079aac26cf0ded307c282563
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2025-10-17 11:54:48 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2025-10-20 16:11:21 +0000

    quot: Fix benign buffer overflow
    
    If it encounters an inode whose owner does not have a pw entry, quot
    allocates a 7-byte buffer (8 in practice, since that is the minimum
    allocation size) and uses it to store the numeric uid preceded by a
    hash character.  This will overflow the allocated buffer if the UID
    exceeds 6 decimal digits.  Avoid this by using asprintf() instead.
    
    While here, simplify the common case as well using strdup().
    
    Reported by:    Igor Gabriel Sousa e Souza <igor@bsdtrust.com>
    MFC after:      3 days
    Reviewed by:    obiwac, emaste
    Differential Revision:  https://reviews.freebsd.org/D53129
    
    (cherry picked from commit 5854d1cbab1073d78519e7ad9a6eb5726341d587)
---
 usr.sbin/quot/quot.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/usr.sbin/quot/quot.c b/usr.sbin/quot/quot.c
index 4152c498371a..c11c46a500a1 100644
--- a/usr.sbin/quot/quot.c
+++ b/usr.sbin/quot/quot.c
@@ -280,14 +280,10 @@ user(uid_t uid)
 		    usr--) {
 			if (!usr->name) {
 				usr->uid = uid;
-
 				if (!(pwd = getpwuid(uid))) {
-					if ((usr->name = (char *)malloc(7)))
-						sprintf(usr->name,"#%d",uid);
+					asprintf(&usr->name, "#%u", uid);
 				} else {
-					if ((usr->name = (char *)
-					    malloc(strlen(pwd->pw_name) + 1)))
-						strcpy(usr->name,pwd->pw_name);
+					usr->name = strdup(pwd->pw_name);
 				}
 				if (!usr->name)
 					errx(1, "allocate users");
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202510201611.59KGBZ3T036299>