From owner-freebsd-ports  Fri Jul 24 02:00:45 1998
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id CAA23615
          for freebsd-ports-outgoing; Fri, 24 Jul 1998 02:00:45 -0700 (PDT)
          (envelope-from owner-freebsd-ports@FreeBSD.ORG)
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA23593
          for <freebsd-ports@FreeBSD.org>; Fri, 24 Jul 1998 02:00:38 -0700 (PDT)
          (envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.8.8/8.8.5) id CAA14429;
	Fri, 24 Jul 1998 02:00:01 -0700 (PDT)
Received: (from nobody@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id BAA21771;
          Fri, 24 Jul 1998 01:51:18 -0700 (PDT)
          (envelope-from nobody)
Message-Id: <199807240851.BAA21771@hub.freebsd.org>
Date: Fri, 24 Jul 1998 01:51:18 -0700 (PDT)
From: bonga@doxx.net
To: freebsd-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: www-1.0
Subject: ports/7387: the libslang-1.2.2 seems to have a minor buffer overflow in it ...
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         7387
>Category:       ports
>Synopsis:       the libslang-1.2.2 seems to have a minor buffer overflow in it ...
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jul 24 02:00:01 PDT 1998
>Last-Modified:
>Originator:     saad
>Organization:
n/a
>Release:        2.2.6
>Environment:
FreeBSD patla.webbernet.net 2.2.6-RELEASE FreeBSD 2.2.6-RELEASE #0: Mon Jul 20 02:39:31 EDT 1998     root@patla.webbernet.net:/usr/src.1/sys/compile/GENERIC  i386

>Description:
/usr/ports/devel/libslang/work/slang/src/sltermin.c:

char *tidir;
char *term;  /* passed into the function ... */
char file[1024];


275        if ((tidir != NULL)
276            && (sizeof (file) > strlen (tidir) + 2 + strlen (term)))
277          {
278            sprintf (file, "%s/%c/%s", tidir, *term, term);

>How-To-Repeat:
if the two strings in question are of combined length of 1021,
1021 + 2 would fullfil the less-than 1024 (sizeof(file)) length.

but when sprinting more than three extra characters apart from these
strings are required
these would be '/', %c, '/' _AND_ the ending NULL character, which 
seems to be pushed into somethings elses memory space
>Fix:
either of these two should work:
either:

1. use snprintf instead of sprintf so that the NULL char doesn't 
 overwrite anything even tho it might concatenate the string by one
 character

or:
2. converting line 276 to:
&& (sizeof (file) > strlen (tidir) + 3 + strlen (term)))
                                    ^^^

>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message