From owner-freebsd-hackers  Thu Oct 29 16:25:14 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA20792
          for freebsd-hackers-outgoing; Thu, 29 Oct 1998 16:25:14 -0800 (PST)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [206.107.170.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA20774;
          Thu, 29 Oct 1998 16:25:10 -0800 (PST)
          (envelope-from hart@iserver.com)
Received: by gatekeeper.iserver.com; Thu, 29 Oct 1998 17:25:05 -0700 (MST)
Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1)
	id xma019844; Thu, 29 Oct 98 17:24:37 -0700
Received: (hart@localhost) by anchovy.orem.iserver.com (8.8.8) id RAA07147; Thu, 29 Oct 1998 17:23:57 -0700 (MST)
Date: Thu, 29 Oct 1998 17:23:57 -0700 (MST)
From: Paul Hart <hart@iserver.com>
X-Sender: hart@anchovy.orem.iserver.com
To: Archie Cobbs <archie@whistle.com>
cc: Brendan Conoboy <synk@swcp.com>, freebsd-security@FreeBSD.ORG,
        freebsd-hackers@FreeBSD.ORG
Subject: Re: getpwnam() problem?
In-Reply-To: <199810291913.LAA26982@bubba.whistle.com>
Message-ID: <Pine.BSF.3.96.981029171524.6100F-100000@anchovy.orem.iserver.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Thu, 29 Oct 1998, Archie Cobbs wrote:

> Brendan Conoboy writes:
>
> > A couple weeks ago I filled out a little bug report with the GNATS
> > form, but it's received no attention (maybe I should have marked it as
> > critical?).  Anyway, since it may well be security related, I wanted to
> > point it out here.  The condensed version is that if getpwnam() is
> > given a very large string (say a few thousand characters) it will
> > sigsegv or sigbus.  This is true for 2.2.7-stable (as of a few weeks
> > ago) and 3.0-release.  Perhaps it's nothing, perhaps it's something,
> > but it certainly doesn't happen on a whole slew of other OSes.  The
> > problem report is at:
> > 
> > http://www.freebsd.org/cgi/query-pr.cgi?pr=8176
> 
> I've located the bug and supplied a patch in a followup...
> Very simple bug, someone please commit in 2.2 and 3.0.

I'm running 2.2.7-RELEASE and the How-To-Repeat section in the PR above
lists:

    #include <stdio.h>
    #include <sys/types.h>
    #include <pwd.h>

    char zeename[] = "AVeryLongStringGoesHere";
    struct passwd *gunk;

    main()
    {
        gunk = getpwnam(zeename);
    }

as sample code to exercise the bug in getpwnam().  However, it seems to
have no affect.  No SIGBUS or SIGSEGV that I can see.  The patch in the PR
for /usr/src/lib/libc/gen/getpwent.c shows that I have (presumably)
vulnerable code at the diff location, but I don't seem to be experiencing
problems with it.  Has anyone else noticed these symptoms?

Paul Hart

--
Paul Robert Hart        ><8>  ><8>  ><8>        Verio Web Hosting, Inc.
hart@iserver.com        ><8>  ><8>  ><8>        http://www.iserver.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message