Date: Mon, 4 Jun 2001 19:13:57 -0500 From: "Jacques A. Vidrine" <n@nectar.com> To: freebsd-audit@freebsd.org Subject: Re: Fwd: [$HOME buffer overflow in SunOS 5.8 x86] Message-ID: <20010604191356.A48356@shade.nectar.com> In-Reply-To: <20010604185510.B47924@shade.nectar.com>; from n@nectar.com on Mon, Jun 04, 2001 at 06:55:11PM -0500 References: <20010604185510.B47924@shade.nectar.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jun 04, 2001 at 06:55:11PM -0500, Jacques A. Vidrine wrote:
> There are several other potential overflows (sprintf, strcpy), but
> here is a patch for ones involving HOME. I don't think this
> represents a security problem, though.
Oops, forgot patch to extern.h. Here's the whole set again, with that
leading.
--- extern.h.orig Mon Jun 4 19:12:27 2001
+++ extern.h Mon Jun 4 18:47:36 2001
@@ -130,7 +130,7 @@
void free_child __P((int));
int from __P((int *));
off_t fsize __P((FILE *));
-int getfold __P((char *));
+int getfold __P((char *, size_t));
int gethfield __P((FILE *, char [], int, char **));
int getmsglist __P((char *, int *, int));
int getrawlist __P((char [], char **, int));
--- cmd1.c.orig Mon Jun 4 18:47:11 2001
+++ cmd1.c Mon Jun 4 18:47:22 2001
@@ -440,7 +440,7 @@
char dirname[BUFSIZ];
char *cmd;
- if (getfold(dirname) < 0) {
+ if (getfold(dirname, sizeof(dirname)) < 0) {
printf("No value set for \"folder\"\n");
return 1;
}
--- fio.c.orig Mon Jun 4 18:41:27 2001
+++ fio.c Mon Jun 4 18:51:37 2001
@@ -340,13 +340,18 @@
name = "~/mbox";
/* fall through */
}
- if (name[0] == '+' && getfold(cmdbuf) >= 0) {
+ if (name[0] == '+' && getfold(cmdbuf, sizeof(cmdbuf)) >= 0) {
sprintf(xname, "%s/%s", cmdbuf, name + 1);
name = savestr(xname);
}
/* catch the most common shell meta character */
if (name[0] == '~' && (name[1] == '/' || name[1] == '\0')) {
- sprintf(xname, "%s%s", homedir, name + 1);
+ if (snprintf(xname, sizeof(xname), "%s%s", homedir, name + 1)
+ >= sizeof(xname)) {
+ fprintf(stderr, "\"%s\": Expansion failed -- "
+ "path too long.\n", name);
+ return NOSTR;
+ }
name = savestr(xname);
}
if (!anyof(name, "~{[*?$`'\"\\"))
@@ -398,18 +403,25 @@
* Determine the current folder directory name.
*/
int
-getfold(name)
+getfold(name, bufsize)
char *name;
+ size_t bufsize;
{
char *folder;
+ int n;
if ((folder = value("folder")) == NOSTR)
return (-1);
if (*folder == '/')
- strcpy(name, folder);
+ n = strlcpy(name, folder, bufsize);
else
- sprintf(name, "%s/%s", homedir, folder);
- return (0);
+ n = snprintf(name, bufsize, "%s/%s", homedir, folder);
+ if (n >= bufsize) {
+ fprintf(stderr, "Folder '%s' ignored -- path too long.\n",
+ folder);
+ return (-1);
+ } else
+ return (0);
}
/*
--- lex.c.orig Mon Jun 4 18:46:48 2001
+++ lex.c Mon Jun 4 18:46:57 2001
@@ -613,7 +613,7 @@
s++;
}
ename = mailname;
- if (getfold(fname) >= 0) {
+ if (getfold(fname, sizeof(fname)) >= 0) {
strcat(fname, "/");
if (strncmp(fname, mailname, strlen(fname)) == 0) {
sprintf(zname, "+%s", mailname + strlen(fname));
--
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010604191356.A48356>