From owner-freebsd-bugs  Thu Nov 23 16:50: 9 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id D24EA37B4CF
	for <freebsd-bugs@FreeBSD.org>; Thu, 23 Nov 2000 16:50:00 -0800 (PST)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id QAA85833;
	Thu, 23 Nov 2000 16:50:00 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from modemcable101.200-201-24.mtl.mc.videotron.ca (modemcable140.61-201-24.mtl.mc.videotron.ca [24.201.61.140])
	by hub.freebsd.org (Postfix) with SMTP id 54F9A37B4C5
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 23 Nov 2000 16:45:26 -0800 (PST)
Received: (qmail 36670 invoked from network); 24 Nov 2000 00:45:24 -0000
Received: from nitro.local.mindstep.com (HELO nitro) (postfix@192.168.10.2)
  by jacuzzi.local.mindstep.com with SMTP; 24 Nov 2000 00:45:24 -0000
Received: by nitro (Postfix, from userid 0)
	id 1A7322703C6; Thu, 23 Nov 2000 19:45:22 -0500 (EST)
Message-Id: <20001124004522.1A7322703C6@nitro>
Date: Thu, 23 Nov 2000 19:45:22 -0500 (EST)
From: patrick@mindstep.com
Reply-To: patrick@mindstep.com
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/23057: the kernel config utility crashes with large path
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         23057
>Category:       kern
>Synopsis:       the kernel config utility crashes with large path
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 23 16:50:00 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Patrick Bihan-Faou
>Release:        FreeBSD 4.1.1-STABLE i386
>Organization:
MindStep Corporation
>Environment:

Up-to-date source code from the 4-STABLE branch (cvs co as of Nov, 22)

>Description:

The config utility used to configure a customized kernel can not accept
long path names as arguments. Many internal variables are not sized properly
(usually 80 characters !!!), and unsafe string copies are performed all
over the place.


>How-To-Repeat:

config  -d /a/path/obviously/longer/than/80/characters/which/can/happen/easily/if/you/keep/your/source/in/a/non/standard/directory/src/sys/KERNELNAME KERNELNAME

will provoke the appropriate crash.

>Fix:


The following set of patches for /usr/sbin/config fix a bunch of unsafe
string manipulations and size the variables containing path to be
MAXPATHLEN long.



--- main.c.orig
+++ main.c
@@ -98,7 +98,7 @@
 		switch (ch) {
 		case 'd':
 			if (*destdir == '\0')
-				strcpy(destdir, optarg);
+				strncpy(destdir, optarg, sizeof(destdir));
 			else
 				errx(2, "directory already set");
 			break;
@@ -135,8 +135,8 @@
 			destdir[--len] = '\0';
 		get_srcdir();
 	} else {
-		strcpy(destdir, CDIR);
-		strcat(destdir, PREFIX);
+		strncpy(destdir, CDIR, sizeof(destdir));
+		strncat(destdir, PREFIX, sizeof(destdir)-strlen(destdir));
 	}
 
 	p = path((char *)NULL);
@@ -183,7 +183,7 @@
 	 * and similarly for "machine".
 	 */
 	{
-	char xxx[80];
+	char xxx[MAXPATHLEN];
 	if (*srcdir == '\0')
 		(void)snprintf(xxx, sizeof(xxx), "../../%s/include",
 		    machinename);
--- mkheaders.c.orig
+++ mkheaders.c
@@ -43,6 +43,7 @@
  * Make all the .h files for the optional entries
  */
 
+#include <sys/param.h>
 #include <ctype.h>
 #include <err.h>
 #include <stdio.h>
@@ -220,10 +221,10 @@
 toheader(dev)
 	char *dev;
 {
-	static char hbuf[80];
+	static char hbuf[MAXPATHLEN];
 
-	(void) strcpy(hbuf, path(dev));
-	(void) strcat(hbuf, ".h");
+	(void) strncpy(hbuf, path(dev), sizeof(hbuf));
+	(void) strncat(hbuf, ".h", sizeof(hbuf)-strlen(hbuf));
 	return (hbuf);
 }
 
--- mkmakefile.c.orig
+++ mkmakefile.c
@@ -45,6 +45,7 @@
  * additional files for the machine being compiled to.
  */
 
+#include <sys/param.h>
 #include <ctype.h>
 #include <err.h>
 #include <stdio.h>
@@ -232,7 +233,7 @@
 	struct device *save_dp;
 	register struct opt *op;
 	char *wd, *this, *needs, *special, *depends, *clean, *warn;
-	char fname[80];
+	char fname[MAXPATHLEN];
 	int ddwarned = 0;
 	int nreqs, first = 1, configdep, isdup, std, filetype,
 	    imp_rule, no_obj, before_depend, mandatory;
--- mkoptions.c.orig
+++ mkoptions.c
@@ -44,6 +44,7 @@
  * Make all the .h files for the optional entries
  */
 
+#include <sys/param.h>
 #include <ctype.h>
 #include <err.h>
 #include <stdio.h>
@@ -275,21 +276,21 @@
 tooption(name)
 	char *name;
 {
-	static char hbuf[80];
-	char nbuf[80];
+	static char hbuf[MAXPATHLEN];
+	char nbuf[MAXPATHLEN];
 	struct opt_list *po;
 
 	/* "cannot happen"?  the otab list should be complete.. */
-	(void) strcpy(nbuf, "options.h");
+	(void) strncpy(nbuf, "options.h", sizeof(nbuf));
 
 	for (po = otab ; po != 0; po = po->o_next) {
 		if (eq(po->o_name, name)) {
-			strcpy(nbuf, po->o_file);
+			strncpy(nbuf, po->o_file, sizeof(nbuf));
 			break;
 		}
 	}
 
-	(void) strcpy(hbuf, path(nbuf));
+	(void) strncpy(hbuf, path(nbuf), sizeof(nbuf));
 	return (hbuf);
 }
 
@@ -300,7 +301,7 @@
 read_options()
 {
 	FILE *fp;
-	char fname[80];
+	char fname[MAXPATHLEN];
 	char *wd, *this, *val;
 	struct opt_list *po;
 	int first = 1;



>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message