Site Navigation

Date:      Mon, 4 Nov 1996 16:37:04 +0100 (MET)
From:      Mikael Hybsch <micke@free.dynas.se>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/1952: Long chat script makes ppp dump core
Message-ID:  <199611041537.QAA03098@free.dynas.se>
Resent-Message-ID: <199611041540.HAA25662@freefall.freebsd.org>

---

index | next in thread | raw e-mail

---

>Number:         1952
>Category:       bin
>Synopsis:       Long chat script makes ppp dump core
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov  4 07:40:01 PST 1996
>Last-Modified:
>Originator:     Mikael Hybsch
>Organization:
Dynasoft AB
>Release:        FreeBSD 2.2-961004-SNAP i386
>Environment:

	

>Description:

If the number of send-expect elements in "set login" or "set dial" 
exceeds 20, /usr/sbin/ppp could core dump or malfunction because
the function MakeArgs() assigns a vector of char * from an input string
without any bounds checking.

>How-To-Repeat:

Create a chat script with more that 20 send-expect elements.

>Fix:
	
The following patch allows 40 send-expect elements and adds
a third argument to MakeArgs() with the size of the output vector.
MakeArgs() silently stops processing the input string
if the output size is reached.

Also fix a case in MakeArgs() where it sometimes would return without
null terminating the vector.

diff -u /usr/src/usr.sbin/ppp/auth.c ./auth.c
--- /usr/src/usr.sbin/ppp/auth.c	Tue Jul  9 07:01:52 1996
+++ ./auth.c	Mon Nov  4 14:51:10 1996
@@ -68,7 +68,7 @@
       continue;
     buff[strlen(buff)-1] = 0;
     bzero(vector, sizeof(vector));
-    n = MakeArgs(buff, vector);
+    n = MakeArgs(buff, vector, VECSIZE(vector));
     if (n < 1)
       continue;
     if (strcmp(vector[0], system) == 0) {
@@ -102,7 +102,7 @@
       continue;
     buff[strlen(buff)-1] = 0;
     bzero(vector, sizeof(vector));
-    n = MakeArgs(buff, vector);
+    n = MakeArgs(buff, vector, VECSIZE(vector));
     if (n < 2)
       continue;
     if (strcmp(vector[0], system) == 0) {
@@ -143,7 +143,7 @@
       continue;
     buff[strlen(buff)-1] = 0;
     bzero(vector, sizeof(vector));
-    n = MakeArgs(buff, vector);
+    n = MakeArgs(buff, vector, VECSIZE(vector));
     if (n < 2)
       continue;
     if (strlen(vector[0]) == len && strncmp(vector[0], system, len) == 0) {
diff -u /usr/src/usr.sbin/ppp/chat.c ./chat.c
--- /usr/src/usr.sbin/ppp/chat.c	Tue Jul  9 07:01:53 1996
+++ ./chat.c	Mon Nov  4 14:51:10 1996
@@ -38,6 +38,7 @@
 #include <sys/wait.h>
 #include "timeout.h"
 #include "vars.h"
+#include "chat.h"
 
 #define	IBSIZE 200
 
@@ -79,9 +80,10 @@
 }
 
 int
-MakeArgs(script, pvect)
+MakeArgs(script, pvect, maxargs)
 char *script;
 char **pvect;
+int maxargs;
 {
   int nargs, nb;
   int instring;
@@ -95,9 +97,11 @@
 	instring = 1;
 	script++;
 	if (*script == '\0')
-	  return(nargs);
+	  break; /* Shouldn't return here. Need to null terminate below */
       } else
 	instring = 0;
+      if (nargs >= maxargs-1)
+	break;
       *pvect++ = script;
       nargs++;
       script = findblank(script, instring);
@@ -378,7 +382,7 @@
     cp--;
   }
   sprintf(tmp, "%s %s", command, cp);
-  (void) MakeArgs(tmp, &vector);
+  (void) MakeArgs(tmp, vector, VECSIZE(vector));
 
   pipe(fids);
   pid = fork();
@@ -522,7 +526,7 @@
 DoChat(script)
 char *script;
 {
-  char *vector[20];
+  char *vector[40];
   char **argv;
   int argc, n, state;
 #ifdef DEBUG
@@ -537,7 +541,7 @@
   numaborts = 0;
 
   bzero(vector, sizeof(vector));
-  n = MakeArgs(script, &vector);
+  n = MakeArgs(script, vector, VECSIZE(vector));
 #ifdef DEBUG
   logprintf("n = %d\n", n);
   for (i = 0; i < n; i++)
diff -u /usr/src/usr.sbin/ppp/chat.h ./chat.h
--- /usr/src/usr.sbin/ppp/chat.h	Tue Jul  9 07:01:53 1996
+++ ./chat.h	Mon Nov  4 14:51:10 1996
@@ -25,5 +25,6 @@
 #define	_CHAT_H_
 #include "cdefs.h"
 extern char * ExpandString __P((char *, char *, int));
-extern int MakeArgs __P((char *, char **));
+extern int MakeArgs __P((char *, char **, int));
+#define	VECSIZE(v)	(sizeof(v) / sizeof(v[0]))
 #endif
diff -u /usr/src/usr.sbin/ppp/command.c ./command.c
--- /usr/src/usr.sbin/ppp/command.c	Wed Oct 30 09:15:12 1996
+++ ./command.c	Mon Nov  4 14:51:10 1996
@@ -41,8 +41,8 @@
 #include <net/route.h>
 #include "os.h"
 #include <paths.h>
+#include "chat.h"
 
-extern int  MakeArgs();
 extern void Cleanup(), TtyTermMode(), PacketMode();
 extern int  EnableCommand(), DisableCommand(), DisplayCommand();
 extern int  AcceptCommand(), DenyCommand();
@@ -530,7 +530,7 @@
     if (cp)
       *cp = '\0';
     {
-      argc = MakeArgs(buff, &vector);
+      argc = MakeArgs(buff, vector, VECSIZE(vector));
       argv = vector;
 
       if (argc > 0)

>Audit-Trail:
>Unformatted:

home | help

---

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199611041537.QAA03098>

Legal Notices | © 1995-2026 The FreeBSD Project. All rights reserved.

Contact