Date: Wed, 11 Feb 2004 07:17:33 -0800 (PST) From: P MOULIN <moulin.p@calyopea.com> To: freebsd-gnats-submit@FreeBSD.org Subject: bin/62692: [PATCH] /usr/src/lib/libc/locale/ldpart.c buffer overflow Message-ID: <200402111517.i1BFHXON023561@www.freebsd.org> Resent-Message-ID: <200402111520.i1BFKH7V083887@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 62692 >Category: bin >Synopsis: [PATCH] /usr/src/lib/libc/locale/ldpart.c buffer overflow >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Feb 11 07:20:17 PST 2004 >Closed-Date: >Last-Modified: >Originator: P MOULIN >Release: 5.1-RELEASE-p11 >Organization: calyopea.com >Environment: FreeBSD athlon 5.1-RELEASE-p11 FreeBSD 5.1-RELEASE-p11 #5: Thu Dec 25 17:32:30 CET 2003 root@athlon:/usr/src/sys/i386/compile/Athlon i386 >Description: in /usr/src/lib/libc/locale/ldpart.c - using strchr on non '\0' terminated buffers leading to buffer overflow. - test with *locale_buf != NULL without prior testing if locale_buf was NULL => sigvec Few minor things not compiling when using -Werror: - in /usr/src/lib/libc/locale/srune.c #include <string.h> missing for memcpy properly prototyped. - in /usr/src/lib/libc/locale/wcstold.c two unused vars : char *p and size_t clen; >How-To-Repeat: Using a modified gcc 3.3.2 patched with http://sourceforge.net/projects/boundschecking/ => bound-checker gcc. int main() { char *localtest; locale_test=setlocale(LC_TIME,"en_US.ISO8859-15"); if (!locale_test) return 1; return 0; } >Fix: diff -ur /usr/src/lib/libc/locale_ORIGINAL/ldpart.c /usr/src/lib/libc/locale/ldpart.c --- /usr/src/lib/libc/locale_ORIGINAL/ldpart.c Thu Jun 26 12:46:16 2003 +++ /usr/src/lib/libc/locale/ldpart.c Wed Feb 11 15:20:28 2004 @@ -69,7 +69,7 @@ /* * If the locale name is the same as our cache, use the cache. */ - if (*locale_buf != NULL && strcmp(name, *locale_buf) == 0) { + if (locale_buf != NULL && *locale_buf != NULL && strcmp(name, *locale_buf) == 0) { *using_locale = 1; return (_LDP_CACHE); } @@ -106,12 +106,15 @@ if (_read(fd, p, (size_t) st.st_size) != st.st_size) goto bad_lbuf; /* - * Parse the locale file into localebuf. + * check ending '\n' in freshly loaded locale. */ if (plim[-1] != '\n') { errno = EFTYPE; goto bad_lbuf; } + /* + * Parse the locale file into localebuf. + */ num_lines = split_lines(p, plim); if (num_lines >= locale_buf_size_max) num_lines = locale_buf_size_max; @@ -151,12 +154,15 @@ static int split_lines(char *p, const char *plim) { - int i; + int i=0; - for (i = 0; p < plim; i++) { - p = strchr(p, '\n'); - *p++ = '\0'; - } - return (i); + while (p < plim) { + if (*p == '\n') { + *p = '\0'; + i++; + } + p++; + } + return (i); } diff -ur /usr/src/lib/libc/locale_ORIGINAL/srune.c /usr/src/lib/libc/locale/srune.c --- /usr/src/lib/libc/locale_ORIGINAL/srune.c Sat Nov 1 06:13:13 2003 +++ /usr/src/lib/libc/locale/srune.c Wed Feb 11 12:31:41 2004 @@ -28,6 +28,7 @@ __FBSDID("$FreeBSD: src/lib/libc/locale/srune.c,v 1.1 2003/11/01 05:13:13 tjr Exp $"); #include <limits.h> +#include <string.h> #include <rune.h> #include <wchar.h> diff -ur /usr/src/lib/libc/locale_ORIGINAL/wcstold.c /usr/src/lib/libc/locale/wcstold.c --- /usr/src/lib/libc/locale_ORIGINAL/wcstold.c Fri Oct 31 14:29:00 2003 +++ /usr/src/lib/libc/locale/wcstold.c Wed Feb 11 12:32:37 2004 @@ -38,9 +38,9 @@ wcstold(const wchar_t * __restrict nptr, wchar_t ** __restrict endptr) { long double val; - char *buf, *end, *p; + char *buf, *end; const wchar_t *wcp; - size_t clen, len; + size_t len; while (iswspace(*nptr)) nptr++; >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200402111517.i1BFHXON023561>