Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 26 Nov 1999 09:45:50 -0500 (EST)
From:      jedgar@fxp.org
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/15101: [PATCH] cdcontrol does not perform bounds checking WRT dev name lengths
Message-ID:  <19991126144550.D62E19B38@pawn.primelocation.net>
index | next in thread | raw e-mail 


>Number:         15101
>Category:       bin
>Synopsis:       [PATCH] cdcontrol does not perform bounds checking WRT dev name lengths
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Nov 26 06:50:00 PST 1999
>Closed-Date:
>Last-Modified:
>Originator:     Chris D. Faulhaber
>Release:        FreeBSD 3.3-STABLE i386
>Organization:
N/A
>Environment:

FreeBSD 3.3-STABLE and 4.0-CURRENT

>Description:

cdcontrol fails to perform basic bounds/sanity checking WRT device name
lengths.  Though this does not appear to be exploitable in any way (not
suid, etc), it can cause those annoying core dumps :)

>How-To-Repeat:

Using a file/path > 80 characters

% touch <long file/pathname>
% cdcontrol -f <long file/pathname> eject
Segmentation fault (core dumped)
% 

>Fix:

The following patch performs the necessary bounds checking.  Also, it
might be more proper to use MAXPATHLEN instead of the author's 80
char pathname limit.

Index: cdcontrol.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/cdcontrol/cdcontrol.c,v
retrieving revision 1.23
diff -u -r1.23 cdcontrol.c
--- cdcontrol.c	1999/11/18 23:04:38	1.23
+++ cdcontrol.c	1999/11/26 14:33:21
@@ -1042,11 +1042,11 @@
 		return (1);
 
 	if (*cdname == '/')
-		strcpy (devbuf, cdname);
+		snprintf (devbuf, 80, "%s", cdname);
 	else if (*cdname == 'r')
-		sprintf (devbuf, "/dev/%s", cdname);
+		snprintf (devbuf, 80, "/dev/%s", cdname);
 	else
-		sprintf (devbuf, "/dev/r%s", cdname);
+		snprintf (devbuf, 80, "/dev/r%s", cdname);
 
 	fd = open (devbuf, O_RDONLY);
 

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991126144550.D62E19B38>