Site Navigation

Date:      Mon, 4 Jun 2001 19:13:57 -0500
From:      "Jacques A. Vidrine" <n@nectar.com>
To:        freebsd-audit@freebsd.org
Subject:   Re: Fwd: [$HOME buffer overflow in SunOS 5.8 x86]
Message-ID:  <20010604191356.A48356@shade.nectar.com>
In-Reply-To: <20010604185510.B47924@shade.nectar.com>; from n@nectar.com on Mon, Jun 04, 2001 at 06:55:11PM -0500
References:  <20010604185510.B47924@shade.nectar.com>

---

index | next in thread | previous in thread | raw e-mail

---

On Mon, Jun 04, 2001 at 06:55:11PM -0500, Jacques A. Vidrine wrote:
> There  are several  other potential  overflows (sprintf,  strcpy), but
> here  is  a  patch  for  ones involving  HOME.   I  don't  think  this
> represents a security problem, though.

Oops, forgot patch to extern.h.  Here's the whole set again, with that
leading.


--- extern.h.orig	Mon Jun  4 19:12:27 2001
+++ extern.h	Mon Jun  4 18:47:36 2001
@@ -130,7 +130,7 @@
 void	 free_child __P((int));
 int	 from __P((int *));
 off_t	 fsize __P((FILE *));
-int	 getfold __P((char *));
+int	 getfold __P((char *, size_t));
 int	 gethfield __P((FILE *, char [], int, char **));
 int	 getmsglist __P((char *, int *, int));
 int	 getrawlist __P((char [], char **, int));
--- cmd1.c.orig	Mon Jun  4 18:47:11 2001
+++ cmd1.c	Mon Jun  4 18:47:22 2001
@@ -440,7 +440,7 @@
 	char dirname[BUFSIZ];
 	char *cmd;
 
-	if (getfold(dirname) < 0) {
+	if (getfold(dirname, sizeof(dirname)) < 0) {
 		printf("No value set for \"folder\"\n");
 		return 1;
 	}
--- fio.c.orig	Mon Jun  4 18:41:27 2001
+++ fio.c	Mon Jun  4 18:51:37 2001
@@ -340,13 +340,18 @@
 			name = "~/mbox";
 		/* fall through */
 	}
-	if (name[0] == '+' && getfold(cmdbuf) >= 0) {
+	if (name[0] == '+' && getfold(cmdbuf, sizeof(cmdbuf)) >= 0) {
 		sprintf(xname, "%s/%s", cmdbuf, name + 1);
 		name = savestr(xname);
 	}
 	/* catch the most common shell meta character */
 	if (name[0] == '~' && (name[1] == '/' || name[1] == '\0')) {
-		sprintf(xname, "%s%s", homedir, name + 1);
+		if (snprintf(xname, sizeof(xname), "%s%s", homedir, name + 1)
+		    >= sizeof(xname)) {
+			fprintf(stderr, "\"%s\": Expansion failed -- "
+					"path too long.\n", name);
+			return NOSTR;
+		}
 		name = savestr(xname);
 	}
 	if (!anyof(name, "~{[*?$`'\"\\"))
@@ -398,18 +403,25 @@
  * Determine the current folder directory name.
  */
 int
-getfold(name)
+getfold(name, bufsize)
 	char *name;
+	size_t bufsize;
 {
 	char *folder;
+	int n;
 
 	if ((folder = value("folder")) == NOSTR)
 		return (-1);
 	if (*folder == '/')
-		strcpy(name, folder);
+		n = strlcpy(name, folder, bufsize);
 	else
-		sprintf(name, "%s/%s", homedir, folder);
-	return (0);
+		n = snprintf(name, bufsize, "%s/%s", homedir, folder);
+	if (n >= bufsize) {
+		fprintf(stderr, "Folder '%s' ignored -- path too long.\n", 
+		    folder);
+		return (-1);
+	} else
+		return (0);
 }
 
 /*
--- lex.c.orig	Mon Jun  4 18:46:48 2001
+++ lex.c	Mon Jun  4 18:46:57 2001
@@ -613,7 +613,7 @@
 			s++;
 	}
 	ename = mailname;
-	if (getfold(fname) >= 0) {
+	if (getfold(fname, sizeof(fname)) >= 0) {
 		strcat(fname, "/");
 		if (strncmp(fname, mailname, strlen(fname)) == 0) {
 			sprintf(zname, "+%s", mailname + strlen(fname));

-- 
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message

help

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010604191356.A48356>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact