From owner-svn-src-all@freebsd.org Wed Jul 10 20:19:49 2019 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BB07815E2B1E; Wed, 10 Jul 2019 20:19:49 +0000 (UTC) (envelope-from chmeeedalf@gmail.com) Received: from mail-io1-xd41.google.com (mail-io1-xd41.google.com [IPv6:2607:f8b0:4864:20::d41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2F98A704CE; Wed, 10 Jul 2019 20:19:49 +0000 (UTC) (envelope-from chmeeedalf@gmail.com) Received: by mail-io1-xd41.google.com with SMTP id k20so7518481ios.10; Wed, 10 Jul 2019 13:19:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=MADvUaTXnTL2CQclZJxayupcXhlNjEDq9DzbE7a/uRI=; b=SET9N6lhHMkU0KIVXrmTrat8B73VTjknA9QBZLa86ZL6sYAlRYDM473BAZkvfO6kyC /YdEZ0pLm6Xxh/gnNGDJqIDnPrHvDyrfQyYGoRnBi4RvxM5v/yWIBbJv1br+bGSLazbj 9xRq1NeeELvyYGBf16xM7YWkhSHDhMZDo6RwWPE51juB80qAT/V8dbj7YsiJiE4B8evd vTjI/1izzfR02klnLXV0jOCDKYReVMY+6iwOraaZ+edz5vapQPBOnql/AMRHVNYVCogH qG3vasA4h3vIPYuvTAR2xvzxCiDwJZnCIczG9DXipQlbZl7Fbf8/NorlTnn66UBLNi/b +7ew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=MADvUaTXnTL2CQclZJxayupcXhlNjEDq9DzbE7a/uRI=; b=QmHTgUViwnviv41yHziFb3dkJpeo4r/enM17PpQn8oZ1n52I9fzW1qwsXzdX/OR9wF kzr8XqHTFAwJz/xcY08ANyhLOwAF0d0EnYdcESrdV6xHAe9eXjU6V84/xeC8xpIozlCZ 2zM3j0iKJBJWhvYbzoyJaagB2CPqkw7OrT0PViaWRpQ2zNV4Vcw6lGpgv+68BDEeP7ng oxdZW1cDg2oJquw4ASbrnqbwQTNk7bhaD581WaUWmPXvUtKXkEEyYiNOlEzCSrrtca48 e85l6sLidLvNHAJHXWxPLLd7rlkFKC/RPGOPIaI5qDLzfmECs8gH/fzwkiYb1TzgsKi4 p9Tg== X-Gm-Message-State: APjAAAXBkASlmjxSGUyg3+vyxB/U9qW45v72oXMVTWCwwAAOiOoZ2CFv s21nRJDgVczTmnsSLpe14t9NNs34EjI= X-Google-Smtp-Source: APXvYqy5duge4xWNnlX8nrApte+canjQEKUDrUwXwlY1OLaos5QnaLFWgd5PJsnNtLb6t6SVMpehiA== X-Received: by 2002:a5e:a708:: with SMTP id b8mr35081665iod.25.1562789988228; Wed, 10 Jul 2019 13:19:48 -0700 (PDT) Received: from titan.knownspace (173-25-245-129.client.mchsi.com. [173.25.245.129]) by smtp.gmail.com with ESMTPSA id b8sm2519885ioj.16.2019.07.10.13.19.47 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Wed, 10 Jul 2019 13:19:48 -0700 (PDT) Date: Wed, 10 Jul 2019 15:19:44 -0500 From: Justin Hibbits To: Shawn Webb Cc: Philip Paeps , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r349890 - head/contrib/telnet/telnet Message-ID: <20190710151944.0fd94ec3@titan.knownspace> In-Reply-To: <20190710195548.kdftfemj3icarcxo@mutt-hbsd> References: <201907101742.x6AHg4os016752@repo.freebsd.org> <20190710195548.kdftfemj3icarcxo@mutt-hbsd> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; powerpc64-portbld-freebsd13.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 2F98A704CE X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.97 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.97)[-0.970,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2019 20:19:50 -0000 On Wed, 10 Jul 2019 15:55:48 -0400 Shawn Webb wrote: > On Wed, Jul 10, 2019 at 05:42:04PM +0000, Philip Paeps wrote: > > Author: philip > > Date: Wed Jul 10 17:42:04 2019 > > New Revision: 349890 > > URL: https://svnweb.freebsd.org/changeset/base/349890 > > > > Log: > > telnet: fix a couple of snprintf() buffer overflows > > > > Obtained from: Juniper Networks > > MFC after: 1 week > > > > Modified: > > head/contrib/telnet/telnet/commands.c > > head/contrib/telnet/telnet/telnet.c > > head/contrib/telnet/telnet/utilities.c > > > > Modified: head/contrib/telnet/telnet/commands.c > > ============================================================================== > > --- head/contrib/telnet/telnet/commands.c Wed Jul 10 > > 17:21:59 2019 (r349889) +++ > > head/contrib/telnet/telnet/commands.c Wed Jul 10 17:42:04 > > 2019 (r349890) @@ -1655,10 +1655,11 @@ env_init(void) char > > hbuf[256+1]; char *cp2 = strchr((char *)ep->value, ':'); > > > > - gethostname(hbuf, 256); > > - hbuf[256] = '\0'; > > - cp = (char *)malloc(strlen(hbuf) + strlen(cp2) + > > 1); > > - sprintf((char *)cp, "%s%s", hbuf, cp2); > > + gethostname(hbuf, sizeof(hbuf)); > > + hbuf[sizeof(hbuf)-1] = '\0'; > > + unsigned int buflen = strlen(hbuf) + strlen(cp2) + > > 1; > > buflen should be defined with the rest of the variables in the code > block above this one. Agreed. > > > + cp = (char *)malloc(sizeof(char)*buflen); > > Lack of NULL check here leads to > > > + snprintf((char *)cp, buflen, "%s%s", hbuf, cp2); > > potential NULL pointer deref here. I'm not sure if this is actually a problem. env_init() is called exactly once, at the beginning of main(), and the environment size is fully constrained by the OS. That said, this file it the only one in this component that does not check the return value of malloc(). All other uses, outside of this file, check and error. > > Thanks, > - Justin