From owner-freebsd-hackers  Thu Oct 29 17:06:04 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id RAA27032
          for freebsd-hackers-outgoing; Thu, 29 Oct 1998 17:06:04 -0800 (PST)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from whistle.com (s205m131.whistle.com [207.76.205.131])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA27009;
          Thu, 29 Oct 1998 17:06:01 -0800 (PST)
          (envelope-from archie@whistle.com)
Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id RAA27680; Thu, 29 Oct 1998 17:05:58 -0800 (PST)
Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3)
	id sma027677; Thu Oct 29 17:05:48 1998
Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id RAA09541; Thu, 29 Oct 1998 17:05:48 -0800 (PST)
From: Archie Cobbs <archie@whistle.com>
Message-Id: <199810300105.RAA09541@bubba.whistle.com>
Subject: Re: getpwnam() problem?
In-Reply-To: <Pine.BSF.3.96.981029171524.6100F-100000@anchovy.orem.iserver.com> from Paul Hart at "Oct 29, 98 05:23:57 pm"
To: hart@iserver.com (Paul Hart)
Date: Thu, 29 Oct 1998 17:05:48 -0800 (PST)
Cc: archie@whistle.com, synk@swcp.com, freebsd-security@FreeBSD.ORG,
        freebsd-hackers@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL38 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Paul Hart writes:
> > > http://www.freebsd.org/cgi/query-pr.cgi?pr=8176
> > 
> > I've located the bug and supplied a patch in a followup...
> > Very simple bug, someone please commit in 2.2 and 3.0.
> 
> I'm running 2.2.7-RELEASE and the How-To-Repeat section in the PR above
> lists:
> 
>     #include <stdio.h>
>     #include <sys/types.h>
>     #include <pwd.h>
> 
>     char zeename[] = "AVeryLongStringGoesHere";
>     struct passwd *gunk;
> 
>     main()
>     {
>         gunk = getpwnam(zeename);
>     }
> 
> as sample code to exercise the bug in getpwnam().  However, it seems to
> have no affect.  No SIGBUS or SIGSEGV that I can see.  The patch in the PR
> for /usr/src/lib/libc/gen/getpwent.c shows that I have (presumably)
> vulnerable code at the diff location, but I don't seem to be experiencing
> problems with it.  Has anyone else noticed these symptoms?

The sample program doesn't cause the bug. Try replacing "zeename" with
a string of 12000 characters.. then you'll see it.

-Archie

___________________________________________________________________________
Archie Cobbs   *   Whistle Communications, Inc.  *   http://www.whistle.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message