Date: Wed, 23 Feb 2000 22:37:19 -0800 (PST) From: spock@techfour.net To: freebsd-gnats-submit@FreeBSD.org Subject: misc/16954: [PATCH] catopen(3) in libc can overflow on $NLSPATH Message-ID: <200002240637.WAA69495@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 16954
>Category: misc
>Synopsis: [PATCH] catopen(3) in libc can overflow on $NLSPATH
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Feb 23 22:40:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: Mike Heffner
>Release: 4.0-current
>Organization:
>Environment:
FreeBSD 4.0-CURRENT #0: Sat Feb 19 20:05:45 EST 2000
>Description:
The function catopen(3) in libc can overflow if $NLSPATH is too long.
This can be noticed by running /usr/bin/ee.
>How-To-Repeat:
$ NLSPATH=[5120] ee
>Fix:
Apply patch and recompile libc
Index: lib/libc/nls/msgcat.c
===================================================================
RCS file: /home/ncvs/src/lib/libc/nls/msgcat.c,v
retrieving revision 1.21
diff -u -r1.21 msgcat.c
--- msgcat.c 2000/01/27 23:06:33 1.21
+++ msgcat.c 2000/02/02 19:38:09
@@ -92,8 +92,9 @@
char *nlspath;
char *lang;
long len;
- char *base, *cptr, *pathP;
+ char *base, *cptr;
struct stat sbuf;
+ int j;
if (!name || !*name) {
errno = EINVAL;
@@ -127,20 +128,22 @@
for (nlspath = cptr; *cptr; ++cptr) {
if (*cptr == ':') {
*cptr = '\0';
- for (pathP = path; *nlspath; ++nlspath) {
+ for (j=0; *nlspath; ++nlspath) {
if (*nlspath == '%') {
if (*(nlspath + 1) == 'L') {
++nlspath;
- strcpy(pathP, lang);
- pathP += strlen(lang);
+ strncpy(path+j, lang, sizeof(path)-j-1);
+ j += strlen(path+j);
} else if (*(nlspath + 1) == 'N') {
++nlspath;
- strcpy(pathP, name);
- pathP += strlen(name);
- } else *(pathP++) = *nlspath;
- } else *(pathP++) = *nlspath;
+ strncpy(path+j, name, sizeof(path)-j-1);
+ j += strlen(path+j);
+ } else if(sizeof(path)-j-1)
+ path[j++] = *nlspath;
+ } else if(sizeof(path)-j-1)
+ path[j++] = *nlspath;
}
- *pathP = '\0';
+ path[j] = '\0';
if (stat(path, &sbuf) == 0) {
catpath = path;
break;
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200002240637.WAA69495>