Date: Mon, 21 Jul 97 14:35:08 +0100 From: nick@foobar.org To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: bin/4134: Possible buffer overflow in lib/libc/gen/getpwent.c Message-ID: <9707211435.aa01849@synge.maths.tcd.ie> Resent-Message-ID: <199707211340.GAA13751@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 4134
>Category: bin
>Synopsis: Potential bufferflow in getpwent(), getpwnam() and getpwuid()
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Jul 21 06:40:01 PDT 1997
>Last-Modified:
>Originator: Nick Hilliard
>Organization:
Ireland Online
>Release: FreeBSD 2.2-STABLE i386
>Environment:
(src code)
>Description:
__hashpw() in lib/libc/gen/getpwent.c uses a flawed mechanism
for allocating on-the-fly static buffer space for passwd
entries. The mechanism checks to see if the currently
assigned buffer is big enough. If it isn't, then it
increases it by 1024 chars. If __hashpw() is called with
a data structure of size more than 1024 bytes larger that
the currently assigned buffer, it's possible that other
data could be overwritten.
>How-To-Repeat:
Set gecos to be large (>1024 chars) and then call getpwent().
>Fix:
On line 292 of getpwent.c, replace:
if (data.size > max && !(line = realloc(line, max += 1024)))
return(0);
with:
if (data.size > max) {
max = data.size + 1024;
if (!(line = realloc(line, max)))
return NULL;
}
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9707211435.aa01849>