Date: Thu, 29 Oct 1998 17:23:57 -0700 (MST) From: Paul Hart <hart@iserver.com> To: Archie Cobbs <archie@whistle.com> Cc: Brendan Conoboy <synk@swcp.com>, freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: getpwnam() problem? Message-ID: <Pine.BSF.3.96.981029171524.6100F-100000@anchovy.orem.iserver.com> In-Reply-To: <199810291913.LAA26982@bubba.whistle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 29 Oct 1998, Archie Cobbs wrote: > Brendan Conoboy writes: > > > A couple weeks ago I filled out a little bug report with the GNATS > > form, but it's received no attention (maybe I should have marked it as > > critical?). Anyway, since it may well be security related, I wanted to > > point it out here. The condensed version is that if getpwnam() is > > given a very large string (say a few thousand characters) it will > > sigsegv or sigbus. This is true for 2.2.7-stable (as of a few weeks > > ago) and 3.0-release. Perhaps it's nothing, perhaps it's something, > > but it certainly doesn't happen on a whole slew of other OSes. The > > problem report is at: > > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=8176 > > I've located the bug and supplied a patch in a followup... > Very simple bug, someone please commit in 2.2 and 3.0. I'm running 2.2.7-RELEASE and the How-To-Repeat section in the PR above lists: #include <stdio.h> #include <sys/types.h> #include <pwd.h> char zeename[] = "AVeryLongStringGoesHere"; struct passwd *gunk; main() { gunk = getpwnam(zeename); } as sample code to exercise the bug in getpwnam(). However, it seems to have no affect. No SIGBUS or SIGSEGV that I can see. The patch in the PR for /usr/src/lib/libc/gen/getpwent.c shows that I have (presumably) vulnerable code at the diff location, but I don't seem to be experiencing problems with it. Has anyone else noticed these symptoms? Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981029171524.6100F-100000>