From owner-freebsd-bugs Mon Oct 4 16:47:54 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id 4C6141553E; Mon, 4 Oct 1999 16:47:14 -0700 (PDT) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40334>; Tue, 5 Oct 1999 09:43:46 +1000 Content-return: prohibited Date: Tue, 5 Oct 1999 09:47:02 +1000 From: Peter Jeremy Subject: Re: bin/14069: Buffer overflow in mail(1) In-reply-to: <199910011110.HAA03024@lakes.dignus.com> To: Thomas David Rivers Cc: gnats-admin@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG Reply-To: peter.jeremy@alcatel.com.au Message-Id: <99Oct5.094346est.40334@border.alcanet.com.au> MIME-version: 1.0 X-Mailer: Mutt 1.0pre3i Content-type: text/plain; charset=us-ascii References: <99Oct1.143612est.40354@border.alcanet.com.au> <199910011110.HAA03024@lakes.dignus.com> Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 1999-Oct-10 21:10:46 +1000, Thomas David Rivers wrote: > char *bufend; > int gotlt, lastsp; >- char nbuf[BUFSIZ]; >+ char *nbuf = alloca(strlen(name)); > ^^^^^^^^^^^^ > > Looking at the code, I believe it might be possible for the > result length to be strlen(name) + 1. Ooops. I think I blew it. I didn't work through the code in detail and I'm sure it should be char *nbuf = alloca(strlen(name) + 1); In any case, that was not really intended as a final fix. There appear to be lots of potential buffer overflows in mail(1). I don't really have the stomach for checking them all at present. Peter -- Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 9690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 9690 5982 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message