From owner-freebsd-bugs  Fri Sep 18 23:40:24 1998
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id XAA00810
          for freebsd-bugs-outgoing; Fri, 18 Sep 1998 23:40:24 -0700 (PDT)
          (envelope-from owner-freebsd-bugs@FreeBSD.ORG)
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA00803
          for <freebsd-bugs@FreeBSD.org>; Fri, 18 Sep 1998 23:40:23 -0700 (PDT)
          (envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.8.8/8.8.5) id XAA19438;
	Fri, 18 Sep 1998 23:40:00 -0700 (PDT)
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA00611
          for <FreeBSD-gnats-submit@freebsd.org>; Fri, 18 Sep 1998 23:38:41 -0700 (PDT)
          (envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.9.1/8.9.1) id BAA25813;
	Sat, 19 Sep 1998 01:38:17 -0500 (CDT)
Message-Id: <199809190638.BAA25813@dan.emsphone.com>
Date: Sat, 19 Sep 1998 01:38:17 -0500 (CDT)
From: dnelson@emsphone.com (Dan Nelson)
To: FreeBSD-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: 3.2
Subject: bin/7986: bad argument-processing code in su.c
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         7986
>Category:       bin
>Synopsis:       bad argument-processing code in su.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Sep 18 23:40:00 PDT 1998
>Last-Modified:
>Originator:     Dan Nelson
>Organization:
Executive Marketing Services, Inc.
>Release:        FreeBSD 2.2.7-STABLE i386
>Environment:

FreeBSD dan.emsphone.com 2.2.7-STABLE FreeBSD 2.2.7-STABLE #0: Sat Aug  8 15:03:34 CDT 1998     dan@dan.emsphone.com:/usr/src/sys/compile/DAN  i386

	

>Description:


The code in /usr/bin/su does not process its commandline correctly.  It
is possible to pass arguments such that the "user" variable gets
assigned to NULL, and a segfault occurs later on.

	

>How-To-Repeat:

su --

and see it coredump at:

	if (strlen(user) > MAXLOGNAME - 1) {

>Fix:

Convert the argument processing to standard form: a "while(getopt())"
loop followed by "if (optind < argc)" blocks, one per argument.
	
Index: su.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/su/su.c,v
retrieving revision 1.14.2.9
diff -r1.14.2.9 su.c
137,138c137
< 	while(optind < argc)
< 	    if((ch = getopt(argc, argv, ARGSTR)) != -1)
---
> 	while((ch = getopt(argc, argv, ARGSTR)) != -1) 
166,167c165,166
< 	    else
< 	    {
---
> 
> 	if (optind < argc)
169,170d167
< 		break;
< 	    }

>Audit-Trail:
>Unformatted:
Dan Nelson

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message