From owner-freebsd-bugs Tue May 21 23:20:14 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id DBDB737B419 for ; Tue, 21 May 2002 23:20:01 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g4M6K1c47514; Tue, 21 May 2002 23:20:01 -0700 (PDT) (envelope-from gnats) Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id 0605C37B40B for ; Tue, 21 May 2002 23:13:16 -0700 (PDT) Received: from drugs.dv.isc.org (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.12.3/8.12.3) with ESMTP id g4M6DCOI050937 for ; Wed, 22 May 2002 16:13:12 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Received: (from marka@localhost) by drugs.dv.isc.org (8.12.3/8.12.3/Submit) id g4M6DCMY050936; Wed, 22 May 2002 16:13:12 +1000 (EST) Message-Id: <200205220613.g4M6DCMY050936@drugs.dv.isc.org> Date: Wed, 22 May 2002 16:13:12 +1000 (EST) From: Mark Andrews Reply-To: Mark Andrews To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: bin/38402: buffer underrun in mkstemp(). Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 38402 >Category: bin >Synopsis: buffer underrun in mkstemp(). >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue May 21 23:20:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Mark Andrews >Release: FreeBSD 4.6-RC i386 >Organization: ISC >Environment: System: FreeBSD drugs.dv.isc.org 4.6-RC FreeBSD 4.6-RC #5: Sat May 18 12:54:10 EST 2002 marka@drugs.dv.isc.org:/usr/obj/usr/src/sys/DRUGS i386 >Description: mkstemp() etc. will underrun the template buffer. >How-To-Repeat: main() { int s; char buf1[30]; strcpy(buf1, "XXXXXXX"); s = mkstemp(buf1+2); printf("%s\n", buf1); } The first two character should be X. You may need to repeat depending upon the random characters selected. >Fix: Index: mktemp.c =================================================================== RCS file: /home/ncvs/src/lib/libc/stdio/mktemp.c,v retrieving revision 1.19.2.1 diff -u -r1.19.2.1 mktemp.c --- mktemp.c 2001/01/20 09:35:24 1.19.2.1 +++ mktemp.c 2002/05/22 06:06:55 @@ -128,7 +128,7 @@ } /* Fill space with random characters */ - while (*trv == 'X') { + while (*trv == 'X' && trv >= path) { rand = arc4random() % (sizeof(padchar) - 1); *trv-- = padchar[rand]; } >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message