From owner-freebsd-bugs Wed Mar 6 3: 0:16 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 0BCAC37B419 for ; Wed, 6 Mar 2002 03:00:08 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g26B08L30728; Wed, 6 Mar 2002 03:00:08 -0800 (PST) (envelope-from gnats) Received: from descent.robbins.dropbear.id.au (108.c.005.mel.iprimus.net.au [210.50.42.108]) by hub.freebsd.org (Postfix) with ESMTP id F0A2237B402 for ; Wed, 6 Mar 2002 02:56:08 -0800 (PST) Received: (from tim@localhost) by descent.robbins.dropbear.id.au (8.11.6/8.11.6) id g26AsDX32399; Wed, 6 Mar 2002 21:54:13 +1100 (EST) (envelope-from tim) Message-Id: <200203061054.g26AsDX32399@descent.robbins.dropbear.id.au> Date: Wed, 6 Mar 2002 21:54:13 +1100 (EST) From: "Tim J. Robbins" Reply-To: "Tim J. Robbins" To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: bin/35590: [PATCH] Sloppy argument checking in expand(1) -> buffer overflow Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 35590 >Category: bin >Synopsis: [PATCH] Sloppy argument checking in expand(1) -> buffer overflow >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Mar 06 03:00:07 PST 2002 >Closed-Date: >Last-Modified: >Originator: Tim J. Robbins >Release: FreeBSD 4.5-STABLE i386 >Organization: >Environment: System: FreeBSD descent.robbins.dropbear.id.au 4.5-STABLE FreeBSD 4.5-STABLE #5: Sat Feb 16 18:56:18 EST 2002 tim@descent.robbins.dropbear.id.au:/usr/obj/usr/src/sys/DESCENT i386 >Description: expand(1) doesn't check that too many tab stops aren't specified with the -t option which leads to a buffer overflow. Not a security problem, but it is a bug and sloppy programming. >How-To-Repeat: tim@descent$ expand -t`jot 1000 | tr '\n' ','` Memory fault(coredump) >Fix: Index: expand/expand.c =================================================================== RCS file: /home/ncvs/src/usr.bin/expand/expand.c,v retrieving revision 1.8 diff -u -r1.8 expand.c --- expand/expand.c 2001/06/24 19:50:35 1.8 +++ expand/expand.c 2002/03/06 10:51:52 @@ -162,6 +162,8 @@ errx(1, "bad tab stop spec"); if (nstops > 0 && i <= tabstops[nstops-1]) errx(1, "bad tab stop spec"); + if (nstops == sizeof(tabstops) / sizeof(*tabstops)) + errx(1, "too many tab stops"); tabstops[nstops++] = i; if (*cp == 0) break; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message