From owner-freebsd-bugs  Wed Jun 27 21:23:26 2001
Delivered-To: freebsd-bugs@freebsd.org
Received: from iatl0x01.coxmail.com (iatl1x01.coxmail.com [206.157.231.23])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2DBB937B406; Wed, 27 Jun 2001 21:23:19 -0700 (PDT)
	(envelope-from mheffner@novacoxmail.com)
Received: from enterprise.muriel.penguinpowered.com ([208.138.198.178])
          by iatl0x01.coxmail.com
          (InterMail vK.4.03.02.00 201-232-124 license 85f4f10023be2bd3bce00b3a38363ea2)
          with ESMTP
          id <20010628042317.JICK1034.iatl0x01@enterprise.muriel.penguinpowered.com>;
          Thu, 28 Jun 2001 00:23:17 -0400
Message-ID: <XFMail.20010628002211.mheffner@novacoxmail.com>
X-Mailer: XFMail 1.5.0 on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <200106280139.f5S1dnD13060@freefall.freebsd.org>
Date: Thu, 28 Jun 2001 00:22:11 -0400 (EDT)
Reply-To: Mike Heffner <mheffner@vt.edu>
From: Mike Heffner <mheffner@novacoxmail.com>
To: dd@FreeBSD.org
Subject: Re: bin/19422: users can overflow argv to make ps segfault
Cc: freebsd-bugs@FreeBSD.org, marcolz@stack.nl,
	freebsd-gnats-submit@freebsd.org
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org

When I looked at this it appears that rev. 1.10 of fmt.c was meant to fix this.
However it looks like the change just increased the buffer size, but didn't
put any restrictions on the strvis() -- which just means a bigger string is
needed to overflow `buf'. But I haven't looked at the code in detail, so
there might be caps on the size of argv[0] some where else that would block any
overflow.


On 28-Jun-2001 dd@FreeBSD.org wrote:
| Synopsis: users can overflow argv to make ps segfault
| 
| State-Changed-From-To: open->feedback
| State-Changed-By: dd
| State-Changed-When: Wed Jun 27 18:39:20 PDT 2001
| State-Changed-Why: 
| I can't reproduce this on a recent -current or -stable.  Is this still
| a problem?


Mike

-- 
  Mike Heffner         <mheffner@[acm.]vt.edu>
  Fredericksburg, VA       <mikeh@FreeBSD.org>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message