Date: Mon, 21 Jul 97 14:35:08 +0100 From: nick@foobar.org To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: bin/4134: Possible buffer overflow in lib/libc/gen/getpwent.c Message-ID: <9707211435.aa01849@synge.maths.tcd.ie> Resent-Message-ID: <199707211340.GAA13751@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 4134 >Category: bin >Synopsis: Potential bufferflow in getpwent(), getpwnam() and getpwuid() >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jul 21 06:40:01 PDT 1997 >Last-Modified: >Originator: Nick Hilliard >Organization: Ireland Online >Release: FreeBSD 2.2-STABLE i386 >Environment: (src code) >Description: __hashpw() in lib/libc/gen/getpwent.c uses a flawed mechanism for allocating on-the-fly static buffer space for passwd entries. The mechanism checks to see if the currently assigned buffer is big enough. If it isn't, then it increases it by 1024 chars. If __hashpw() is called with a data structure of size more than 1024 bytes larger that the currently assigned buffer, it's possible that other data could be overwritten. >How-To-Repeat: Set gecos to be large (>1024 chars) and then call getpwent(). >Fix: On line 292 of getpwent.c, replace: if (data.size > max && !(line = realloc(line, max += 1024))) return(0); with: if (data.size > max) { max = data.size + 1024; if (!(line = realloc(line, max))) return NULL; } >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9707211435.aa01849>