From owner-freebsd-bugs  Tue Feb 22 22:10: 6 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id 709A037B809
	for <freebsd-bugs@FreeBSD.org>; Tue, 22 Feb 2000 22:10:01 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id WAA62841;
	Tue, 22 Feb 2000 22:10:01 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id 7FAE537B7D1
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 22 Feb 2000 22:00:24 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id WAA62291;
	Tue, 22 Feb 2000 22:00:24 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Message-Id: <200002230600.WAA62291@freefall.freebsd.org>
Date: Tue, 22 Feb 2000 22:00:24 -0800 (PST)
From: spock@techfour.net
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-1.0
Subject: bin/16926: [PATCH] banner doesn't  allocate space for nul
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         16926
>Category:       bin
>Synopsis:       [PATCH] banner doesn't  allocate space for nul
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 22 22:10:00 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Mike Heffner
>Release:        4.0-current
>Organization:
>Environment:
FreeBSD 4.0-CURRENT #0: Sat Feb 19 20:05:45 EST 2000 
>Description:
Banner doesn't allocate enough memory for the nul character. Banner 
will seg fault if it's sent a string with any multiple of 4096 
characters, because the nul ends up being written onto an unmapped 
page. This patch was posted to -audit a few weeks ago.
>How-To-Repeat:
run banner with a multiple of 4096 character string
Ex: banner [4096]
>Fix:
apply the following patch and recompile.

Index: usr.bin/banner/banner.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/banner/banner.c,v
retrieving revision 1.7
diff -u -r1.7 banner.c
--- banner.c    1999/12/04 02:11:51     1.7
+++ banner.c    2000/02/02 16:15:08
@@ -1063,7 +1063,7 @@
        /* Have now read in the data. Next get the message to be printed. */
        if (*argv) {
                for(i=0, j=0; i < argc; i++)
-                       j += strlen(argv[i]) + (i != 0);
+                       j += strlen(argv[i]) + 1;
                if ((message = malloc(j)) == NULL)
                        err(1, "malloc");
                strcpy(message, *argv);
           


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message