Date: Sat, 10 Oct 1998 08:10:40 GMT From: zach@gaffaneys.com To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: bin/8250: buffer overflow in mail(1) Message-ID: <199810100810.IAA13069@k6n1.znh.org>
next in thread | raw e-mail | index | archive | help
>Number: 8250
>Category: bin
>Synopsis: buffer overflow in mail(1)
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Oct 10 01:20:01 PDT 1998
>Last-Modified:
>Originator: Zach Heilig
>Organization:
none
>Release: FreeBSD 3.0-BETA i386
>Environment:
>Description:
>How-To-Repeat:
1) set TMPDIR to any string longer than 14 characters.
2) run 'mail'
Thanks to Studded (Doug) for stumbling across this one :-)
>Fix:
Index: temp.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/mail/temp.c,v
retrieving revision 1.3
diff -u -r1.3 temp.c
--- temp.c 1997/07/24 06:56:33 1.3
+++ temp.c 1998/10/10 07:16:34
@@ -49,11 +49,11 @@
* Give names to all the temporary files that we will need.
*/
-char tempMail[24];
-char tempQuit[24];
-char tempEdit[24];
-char tempResid[24];
-char tempMesg[24];
+char tempMail[FILENAME_MAX];
+char tempQuit[FILENAME_MAX];
+char tempEdit[FILENAME_MAX];
+char tempResid[FILENAME_MAX];
+char tempMesg[FILENAME_MAX];
char *tmpdir;
void
@@ -72,6 +72,11 @@
cp[len] = '/';
cp[len + 1] = '\0';
tmpdir = cp;
+ }
+
+ if ((strlen(tmpdir) + sizeof("RsXXXXXX")) > sizeof tempMail) {
+ printf("ERROR: Temporary filename buffers are not big enough!\n");
+ exit(1);
}
strcpy(tempMail, tmpdir);
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199810100810.IAA13069>