Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 31 Oct 2001 17:29:16 -0500 (EST)
From:      "Andrew R. Reiter" <arr@fledge.watson.org>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/31673: lack of bounds check on string functions after getenv() call.	
Message-ID:  <200110312229.f9VMTGN88936@fledge.watson.org>
next in thread | raw e-mail | index | archive | help 

>Number:         31673
>Category:       bin
>Synopsis:       lack of bounds check on string functions after getenv() call.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 31 14:30:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Andrew R. Reiter
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD rakahanga 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Mon Oct 29 06:39:1
1 GMT 2001 root@:/usr/obj/usr/src/sys/GENERIC i386

>Description:
	Essentially, after a call to getenv() in which the code wishes to 
	receive the data for the TMPDIR key, it either will do a sprintf
	or strcpy depending on whether or not a NULL was returned from 
	getenv().  The sprintf() could be overflowed.. the strcpy more than 
	likely not.  

	More specifically the problem is:

        char path[MAXPATHLEN];

        if (!first && !envtmp) {
                envtmp = getenv("TMPDIR");
                first = 1;
        }

        if (envtmp)
                (void)sprintf(path, "%s/%s", envtmp, _NAME_ARTMP);
        else
                strcpy(path, _PATH_ARTMP);

>How-To-Repeat:

>Fix:
Index: misc.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/ar/misc.c,v
retrieving revision 1.7
diff -u -r1.7 misc.c
--- misc.c      24 Jul 2001 14:04:20 -0000      1.7
+++ misc.c      31 Oct 2001 14:11:17 -0000
@@ -73,9 +73,10 @@
        }

        if (envtmp)
-               (void)sprintf(path, "%s/%s", envtmp, _NAME_ARTMP);
+               (void)snprintf(path, sizeof(path), "%s/%s", envtmp,
+                   _NAME_ARTMP);
        else
-               strcpy(path, _PATH_ARTMP);
+               strlcpy(path, _PATH_ARTMP, sizeof(path));

        sigfillset(&set);
        (void)sigprocmask(SIG_BLOCK, &set, &oset);

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110312229.f9VMTGN88936>