Date: Wed, 10 Jul 2019 15:55:48 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Philip Paeps <philip@FreeBSD.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r349890 - head/contrib/telnet/telnet Message-ID: <20190710195548.kdftfemj3icarcxo@mutt-hbsd> In-Reply-To: <201907101742.x6AHg4os016752@repo.freebsd.org> References: <201907101742.x6AHg4os016752@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--2ecdm7fv5dibptma Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jul 10, 2019 at 05:42:04PM +0000, Philip Paeps wrote: > Author: philip > Date: Wed Jul 10 17:42:04 2019 > New Revision: 349890 > URL: https://svnweb.freebsd.org/changeset/base/349890 >=20 > Log: > telnet: fix a couple of snprintf() buffer overflows > =20 > Obtained from: Juniper Networks > MFC after: 1 week >=20 > Modified: > head/contrib/telnet/telnet/commands.c > head/contrib/telnet/telnet/telnet.c > head/contrib/telnet/telnet/utilities.c >=20 > Modified: head/contrib/telnet/telnet/commands.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/contrib/telnet/telnet/commands.c Wed Jul 10 17:21:59 2019 (r3498= 89) > +++ head/contrib/telnet/telnet/commands.c Wed Jul 10 17:42:04 2019 (r3498= 90) > @@ -1655,10 +1655,11 @@ env_init(void) > char hbuf[256+1]; > char *cp2 =3D strchr((char *)ep->value, ':'); > =20 > - gethostname(hbuf, 256); > - hbuf[256] =3D '\0'; > - cp =3D (char *)malloc(strlen(hbuf) + strlen(cp2) + 1); > - sprintf((char *)cp, "%s%s", hbuf, cp2); > + gethostname(hbuf, sizeof(hbuf)); > + hbuf[sizeof(hbuf)-1] =3D '\0'; > + unsigned int buflen =3D strlen(hbuf) + strlen(cp2) + 1; buflen should be defined with the rest of the variables in the code block above this one. > + cp =3D (char *)malloc(sizeof(char)*buflen); Lack of NULL check here leads to > + snprintf((char *)cp, buflen, "%s%s", hbuf, cp2); potential NULL pointer deref here. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 --2ecdm7fv5dibptma Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAl0mQrsACgkQ/y5nonf4 4foXOQ/9ELBZEj5TmLFUfNXJdo50Sm6Q6Bf6B4UG4SwK+aAKZImvRclY0XS9GmdC HIj6XXzRTtX+6MKrWFteJhsXM1EyBIrry2SK5f/BbBHGK6pXhzTlFeIAexfFGiGR z1qO6Rz7WeKQNgR11zMIPZardNRtotlAm4maUw5q4Nvr7LMley+BtxpdhlJ3Guv3 0GZdbmxaQZDJnWW7AJ9F+JXWMXdnIPlsR2g8nZts7GnFQ4IGvox4j7O4BA8ZoIfG E4yzQapVkBYKtmg9nrLkhNALJeit/CY2DDYTBJhcecALiJbpXrn2ZFlTH6lDnZN5 4REXybTlzhXeUQpwIEESHd8cIkTG2HjX155GwozBDIomdy1nHtHSWmKmHeyEq6gh 7qVtk4lfClmyazcCkcgK7Gx8fADzFT607Z4wNWLY0arZ+WGTUNVT4K0y+s8DYHTy hW3D5/sfNLPmPRPCz/uvTd+XGloaSUPgoHCB6SHLY+cFvMwuI5UpLjH0055o9FSN UZ8/y+oR2ITcZFVv9PEp440AKExnhqONMQ03M1Xan+GN4HQ61Px8lPxP+VRo7U2E xzCz1QMHfwWURBHW07kc8mZiEzrgYBIBx0WMs0PZnLvRXpXqtsNTGGy+3n+yA9DO ncJmY+A2nD9lg2CHvimC2/e/a1hrE8Z5KBW10zA9AqpyMrZPfpI= =2JuV -----END PGP SIGNATURE----- --2ecdm7fv5dibptma--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190710195548.kdftfemj3icarcxo>