Date: Tue, 6 Oct 1998 15:28:00 -0700 (PDT) From: synk@swcp.com To: freebsd-gnats-submit@FreeBSD.ORG Subject: bin/8176: Buffer overflow in function called by getpwnam() Message-ID: <199810062228.PAA14893@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 8176
>Category: bin
>Synopsis: Buffer overflow in function called by getpwnam()
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Oct 6 15:30:01 PDT 1998
>Last-Modified:
>Originator: Brendan Conoboy
>Organization:
>Release: 2.2.7-STABLE FreeBSD 2.2.7-STABLE #0: Wed Sep 23 12:10:33
>Environment:
FreeBSD uspca.swcp.com 2.2.7-STABLE FreeBSD 2.2.7-STABLE #0: Wed Sep 23 12:10:33 MDT 1998 root@:/usr/src/sys/compile/uspca i386
>Description:
When getpwnam() is passed a very large buffer, it will recieve a SIGBUS
or SIGSEGV. As far as I've looked so far, it appears to manifest itself
in __hashpw(), possibly during this macro:
#define EXPAND(e) e = t; while ( (*t++ = *p++) );
Though I'm no coder, I think the problem might be that in getpwnam,
"name" isn't necessarily null terminated. It is defined one byte
larger than what is bcopied into it, but the last byte might not
be zero.
>How-To-Repeat:
#include <stdio.h>
#include <sys/types.h>
#include <pwd.h>
char zeename[]="AVeryLongStringGoesHere";
struct passwd * gunk;
main()
{
gunk=getpwnam(zeename);
}
>Fix:
If it's really just a null termination problem, add the null. I've
not yet recompiled my libraries to test this theory.
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199810062228.PAA14893>