Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 13 May 1999 07:50:32 -0700 (PDT)
From:      Don Lewis <Don.Lewis@tsc.tdk.com>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/11687: buglet in login_class()
Message-ID:  <199905131450.HAA27110@gvpc85.gv.tsc.tdk.com>
index | next in thread | raw e-mail 


>Number:         11687
>Category:       bin
>Synopsis:       buglet in login_class()
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 13 08:00:00 PDT 1999
>Closed-Date:
>Last-Modified:
>Originator:     Don Lewis
>Release:        FreeBSD 3.2-BETA i386
>Organization:
TDK Semiconductor
>Environment:

	

>Description:

	The internal substvar() routine in login_class() has a small bug
	that could cause it to scribble one character outside the memory
	that it allocates from the heap.

>How-To-Repeat:

	If the first byte location before the variable contains a
	backslash character, substvar() may think it is processing an
	escape sequence and slide the buffer one character outside its
	allocated space.

	The problem is that substvar does something like this (simplified):
		np = malloc(...);
		p = strcpy(np, var);
		if (p > var && *(p-1) == '\\')
			memmove(p - 1, p, l + 1);
	The return value from "strcpy(np, var)" is "np", not "var",
	so pointer comparisons between "p" and "var" are not valid.
	Also, the buffer being modifed is np.

	The intent of this test is to check to see if the
	preceeding character was a backslash only if we aren't at
	the beginning of the buffer.


>Fix:
	
--- login_class.c.orig	Fri Sep  4 18:08:36 1998
+++ login_class.c	Thu May 13 06:51:40 1999
@@ -163,7 +163,7 @@
 		while (*(p += strcspn(p, "~$")) != '\0') {
 		    int	l = strlen(p);
 
-		    if (p > var && *(p-1) == '\\')  /* Escaped: */
+		    if (p > np && *(p-1) == '\\')  /* Escaped: */
 			memmove(p - 1, p, l + 1); /* Slide-out the backslash */
 		    else if (*p == '~') {
 			int	v = pch && *(p+1) != '/'; /* Avoid double // */


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905131450.HAA27110>