From owner-freebsd-bugs  Sat Oct 10 01:20:06 1998
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id BAA06872
          for freebsd-bugs-outgoing; Sat, 10 Oct 1998 01:20:06 -0700 (PDT)
          (envelope-from owner-freebsd-bugs@FreeBSD.ORG)
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA06846
          for <freebsd-bugs@FreeBSD.org>; Sat, 10 Oct 1998 01:20:03 -0700 (PDT)
          (envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.8.8/8.8.5) id BAA28450;
	Sat, 10 Oct 1998 01:20:01 -0700 (PDT)
Received: from k6n1.znh.org (dialup4.gaffaneys.com [208.155.161.54])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA05492
          for <FreeBSD-gnats-submit@freebsd.org>; Sat, 10 Oct 1998 01:10:32 -0700 (PDT)
          (envelope-from zach@gaffaneys.com)
Received: (from zach@localhost)
	by k6n1.znh.org (8.9.1/8.9.1) id IAA13069;
	Sat, 10 Oct 1998 08:10:40 GMT
	(envelope-from zach)
Message-Id: <199810100810.IAA13069@k6n1.znh.org>
Date: Sat, 10 Oct 1998 08:10:40 GMT
From: zach@gaffaneys.com
Reply-To: zach@gaffaneys.com
To: FreeBSD-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: 3.2
Subject: bin/8250: buffer overflow in mail(1)
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         8250
>Category:       bin
>Synopsis:       buffer overflow in mail(1)
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Oct 10 01:20:01 PDT 1998
>Last-Modified:
>Originator:     Zach Heilig
>Organization:
none
>Release:        FreeBSD 3.0-BETA i386
>Environment:

>Description:

>How-To-Repeat:

1) set TMPDIR to any string longer than 14 characters.
2) run 'mail'

Thanks to Studded (Doug) for stumbling across this one :-)

>Fix:

Index: temp.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/mail/temp.c,v
retrieving revision 1.3
diff -u -r1.3 temp.c
--- temp.c	1997/07/24 06:56:33	1.3
+++ temp.c	1998/10/10 07:16:34
@@ -49,11 +49,11 @@
  * Give names to all the temporary files that we will need.
  */
 
-char	tempMail[24];
-char	tempQuit[24];
-char	tempEdit[24];
-char	tempResid[24];
-char	tempMesg[24];
+char	tempMail[FILENAME_MAX];
+char	tempQuit[FILENAME_MAX];
+char	tempEdit[FILENAME_MAX];
+char	tempResid[FILENAME_MAX];
+char	tempMesg[FILENAME_MAX];
 char	*tmpdir;
 
 void
@@ -72,6 +72,11 @@
 		cp[len] = '/';
 		cp[len + 1] = '\0';
 		tmpdir = cp;
+	}
+
+	if ((strlen(tmpdir) + sizeof("RsXXXXXX")) > sizeof tempMail) {
+	  printf("ERROR: Temporary filename buffers are not big enough!\n");
+	  exit(1);
 	}
 
 	strcpy(tempMail, tmpdir);
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message