Date: Fri, 31 Jan 2020 02:17:53 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 243747] Add another length check to the iruserok_sa Message-ID: <bug-243747-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D243747 Bug ID: 243747 Summary: Add another length check to the iruserok_sa Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: misc Assignee: bugs@FreeBSD.org Reporter: areiter@veracode.com This is not really a bug, I have not seen it misused in code utilizing the = API call, and I wonder the actual number of users of the call, but I file this = if it might be worth adding for robustness sake. Apologies to open a ticket for such a small and likely inconsequential-if-not-changed bit of nitpickery, b= ut so it goes: This is simply adding an additional length check to iruserok_sa() function = in lib/libc/net/rcmd.c. There is a check for the length on line 441: 427 iruserok_sa(const void *ra, int rlen, int superuser, const char *ru= ser, 428 const char *luser) 429 { 430 char *cp; 431 struct stat sbuf; 432 struct passwd *pwd; 433 FILE *hostf; 434 uid_t uid; 435 int first; 436 char pbuf[MAXPATHLEN]; 437 const struct sockaddr *raddr; 438 struct sockaddr_storage ss; 439=20=20 440 /* avoid alignment issue */ 441 if (rlen > sizeof(ss)) 442 return(-1); 443 memcpy(&ss, ra, rlen); Is worth changing to `(rlen > sizeof(ss) || rlen <=3D 0) ` ? --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-243747-227>