Date: Wed, 10 Jul 2019 18:29:18 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Justin Hibbits <chmeeedalf@gmail.com> Cc: Philip Paeps <philip@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r349890 - head/contrib/telnet/telnet Message-ID: <20190710222918.vj4creizlubdzgw3@mutt-hbsd> In-Reply-To: <20190710202218.yc3lcd6tsql3zkyr@mutt-hbsd> References: <201907101742.x6AHg4os016752@repo.freebsd.org> <20190710195548.kdftfemj3icarcxo@mutt-hbsd> <20190710151944.0fd94ec3@titan.knownspace> <20190710202218.yc3lcd6tsql3zkyr@mutt-hbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
--azbhwo34trcfg3f5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jul 10, 2019 at 04:22:18PM -0400, Shawn Webb wrote: > On Wed, Jul 10, 2019 at 03:19:44PM -0500, Justin Hibbits wrote: > > On Wed, 10 Jul 2019 15:55:48 -0400 > > Shawn Webb <shawn.webb@hardenedbsd.org> wrote: > >=20 > > > On Wed, Jul 10, 2019 at 05:42:04PM +0000, Philip Paeps wrote: > > > > Author: philip > > > > Date: Wed Jul 10 17:42:04 2019 > > > > New Revision: 349890 > > > > URL: https://svnweb.freebsd.org/changeset/base/349890 > > > >=20 > > > > Log: > > > > telnet: fix a couple of snprintf() buffer overflows > > > > =20 > > > > Obtained from: Juniper Networks > > > > MFC after: 1 week > > > >=20 > > > > Modified: > > > > head/contrib/telnet/telnet/commands.c > > > > head/contrib/telnet/telnet/telnet.c > > > > head/contrib/telnet/telnet/utilities.c > > > >=20 > > > > Modified: head/contrib/telnet/telnet/commands.c > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D > > > > --- head/contrib/telnet/telnet/commands.c Wed Jul 10 > > > > 17:21:59 2019 (r349889) +++ > > > > head/contrib/telnet/telnet/commands.c Wed Jul 10 17:42:04 > > > > 2019 (r349890) @@ -1655,10 +1655,11 @@ env_init(void) char > > > > hbuf[256+1]; char *cp2 =3D strchr((char *)ep->value, ':'); > > > > =20 > > > > - gethostname(hbuf, 256); > > > > - hbuf[256] =3D '\0'; > > > > - cp =3D (char *)malloc(strlen(hbuf) + strlen(cp2) + > > > > 1); > > > > - sprintf((char *)cp, "%s%s", hbuf, cp2); > > > > + gethostname(hbuf, sizeof(hbuf)); > > > > + hbuf[sizeof(hbuf)-1] =3D '\0'; > > > > + unsigned int buflen =3D strlen(hbuf) + strlen(cp2)= + > > > > 1; =20 > > >=20 > > > buflen should be defined with the rest of the variables in the code > > > block above this one. > >=20 > > Agreed. > >=20 > > >=20 > > > > + cp =3D (char *)malloc(sizeof(char)*buflen); =20 > > >=20 > > > Lack of NULL check here leads to > > >=20 > > > > + snprintf((char *)cp, buflen, "%s%s", hbuf, cp2); =20 > > >=20 > > > potential NULL pointer deref here. > >=20 > > I'm not sure if this is actually a problem. env_init() is called > > exactly once, at the beginning of main(), and the environment size is > > fully constrained by the OS. > >=20 > > That said, this file it the only one in this component that does not > > check the return value of malloc(). All other uses, outside of this > > file, check and error. >=20 > While fixing the style(9) violation above, we could still take care of > the potential NULL deref at the same time. If anything, just for code > correctness reasons? Here's a patch: https://gist.github.com/579685c0252673c3ad92d2536c3486c7 Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 --azbhwo34trcfg3f5 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAl0mZrkACgkQ/y5nonf4 4fonOxAAkkmmFdwEviglOgj8Odg8L+UEkbyDxTdH/auvBTfZTAQxMyr/tRaX8n5Q y0mIDhVnWIY1hyMOKtnaH2JvE1sDmLMuYiLY44nIBOzUS5bT2UylhyF3e7r7w9uJ LsMi5Ky0Ap313mhYZwyP0mGsWgU0U+uFwfCdfatV0BZMOX9G1jHXQyMIG/KGWO+Z cErCpJoNhOankh6IFZh5Z0WY8XtKhWwMXDT1AfRse8jHvjTbwmMCMph0bFBOaci2 OauFWvr0zax1dWoWO2EJeDPh2dOF8o0HKfFUkC0RINsKQMxG7sSsfceODl0ORb7k HTJEJXz9TItJC5xlHWkpCVo+UoaL5VFRDaPpEX8i/WYFXj8YKW1P4ah6J5osfVqG ky1BRnJOoRtc7S+EmdQuFZkSv0V1uSKzgp4hH2nDvxRd0xcu5cVJqhJmoCodQCXX nrdiM1cPhwUMgtJlDBZVp1EjRnd290+jRjR5bsoU+XdzkJCE+TiDf5HZw0gDD8Ui Zqcs5ZkiUpKBnsdkya4YI0AWqmtFdCqMqh57452aFwRE7oxxBWBkjJXYnMpwpVvS +ql/areAGV4HxsNz5bZEBv7TwNeYsvNKyEojdUmRfDjdmNOtROQNgYFKzVZO7Qn1 38Uqz/wR/7ymdeiRrSKNq5DlzWsJl8nFSskrSQ9lkMeYCAprYWw= =pPlH -----END PGP SIGNATURE----- --azbhwo34trcfg3f5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190710222918.vj4creizlubdzgw3>