From owner-freebsd-bugs  Mon Jul 21 06:40:04 1997
Return-Path: <owner-freebsd-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id GAA13770
          for bugs-outgoing; Mon, 21 Jul 1997 06:40:04 -0700 (PDT)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id GAA13751;
          Mon, 21 Jul 1997 06:40:02 -0700 (PDT)
Resent-Date: Mon, 21 Jul 1997 06:40:02 -0700 (PDT)
Resent-Message-Id: <199707211340.GAA13751@hub.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@FreeBSD.ORG, nick@foobar.org
Received: from salmon.maths.tcd.ie (mmdf@salmon.maths.tcd.ie [134.226.81.11])
          by hub.freebsd.org (8.8.5/8.8.5) with SMTP id GAA13587
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 21 Jul 1997 06:35:18 -0700 (PDT)
Received: from synge.maths.tcd.ie by salmon.maths.tcd.ie  with SMTP id aa25218;
          21 Jul 97 14:35 +0100
Message-Id: <9707211435.aa01849@synge.maths.tcd.ie>
Date: Mon, 21 Jul 97 14:35:08 +0100
From: nick@foobar.org
Reply-To: nick@foobar.org
To: FreeBSD-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: 3.2
Subject: bin/4134: Possible buffer overflow in lib/libc/gen/getpwent.c
Sender: owner-freebsd-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         4134
>Category:       bin
>Synopsis:       Potential bufferflow in getpwent(), getpwnam() and getpwuid()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 21 06:40:01 PDT 1997
>Last-Modified:
>Originator:     Nick Hilliard
>Organization:
Ireland Online
>Release:        FreeBSD 2.2-STABLE i386
>Environment:

	(src code)

>Description:

	__hashpw() in lib/libc/gen/getpwent.c uses a flawed mechanism
	for allocating on-the-fly static buffer space for passwd
	entries.  The mechanism checks to see if the currently
	assigned buffer is big enough.  If it isn't, then it
	increases it by 1024 chars.  If __hashpw() is called with
	a data structure of size more than 1024 bytes larger that
	the currently assigned buffer, it's possible that other
	data could be overwritten.

>How-To-Repeat:

	Set gecos to be large (>1024 chars) and then call getpwent().

>Fix:
	
	On line 292 of getpwent.c, replace:

        if (data.size > max && !(line = realloc(line, max += 1024)))
                return(0);

with:

        if (data.size > max) {
                max = data.size + 1024;
                if (!(line = realloc(line, max)))
                        return NULL;
        }


>Audit-Trail:
>Unformatted: