From owner-freebsd-bugs  Tue Oct  6 15:30:42 1998
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA15725
          for freebsd-bugs-outgoing; Tue, 6 Oct 1998 15:30:42 -0700 (PDT)
          (envelope-from owner-freebsd-bugs@FreeBSD.ORG)
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA15582
          for <freebsd-bugs@FreeBSD.org>; Tue, 6 Oct 1998 15:30:06 -0700 (PDT)
          (envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.8.8/8.8.5) id PAA22636;
	Tue, 6 Oct 1998 15:30:01 -0700 (PDT)
Received: (from nobody@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA14893;
          Tue, 6 Oct 1998 15:28:00 -0700 (PDT)
          (envelope-from nobody)
Message-Id: <199810062228.PAA14893@hub.freebsd.org>
Date: Tue, 6 Oct 1998 15:28:00 -0700 (PDT)
From: synk@swcp.com
To: freebsd-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: www-1.0
Subject: bin/8176: Buffer overflow in function called by getpwnam()
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         8176
>Category:       bin
>Synopsis:       Buffer overflow in function called by getpwnam()
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct  6 15:30:01 PDT 1998
>Last-Modified:
>Originator:     Brendan Conoboy
>Organization:
>Release:        2.2.7-STABLE FreeBSD 2.2.7-STABLE #0: Wed Sep 23 12:10:33
>Environment:
FreeBSD uspca.swcp.com 2.2.7-STABLE FreeBSD 2.2.7-STABLE #0: Wed Sep 23 12:10:33 MDT 1998     root@:/usr/src/sys/compile/uspca  i386

>Description:
When getpwnam() is passed a very large buffer, it will recieve a SIGBUS
or SIGSEGV.  As far as I've looked so far, it appears to manifest itself
in __hashpw(), possibly during this macro:

#define EXPAND(e)       e = t; while ( (*t++ = *p++) );

Though I'm no coder, I think the problem might be that in getpwnam,
"name" isn't necessarily null terminated. It is defined one byte
larger than what is bcopied into it, but the last byte might not
be zero.
>How-To-Repeat:
#include <stdio.h>
#include <sys/types.h>
#include <pwd.h>

char zeename[]="AVeryLongStringGoesHere";
struct passwd * gunk;

main()
{
gunk=getpwnam(zeename);
}

>Fix:
If it's really just a null termination problem, add the null.  I've
not yet recompiled my libraries to test this theory.

>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message