From owner-freebsd-hackers Mon Dec 2 4:22:19 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E57AC37B404 for ; Mon, 2 Dec 2002 04:22:14 -0800 (PST) Received: from straylight.ringlet.net (office.sbnd.net [217.75.140.130]) by mx1.FreeBSD.org (Postfix) with SMTP id 5590E43EB2 for ; Mon, 2 Dec 2002 04:22:10 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 20576 invoked by uid 1000); 2 Dec 2002 12:21:50 -0000 Date: Mon, 2 Dec 2002 14:21:50 +0200 From: Peter Pentchev To: hackers@FreeBSD.org Cc: audit@FreeBSD.org Subject: Re: [CFR] diskpart(1) buffer overflow fix Message-ID: <20021202122150.GE372@straylight.oblivion.bg> Mail-Followup-To: hackers@FreeBSD.org, audit@FreeBSD.org References: <20021202115809.GD372@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pE2VAHO2njSJCslu" Content-Disposition: inline In-Reply-To: <20021202115809.GD372@straylight.oblivion.bg> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --pE2VAHO2njSJCslu Content-Type: multipart/mixed; boundary="JcvBIhDvR6w3jUPA" Content-Disposition: inline --JcvBIhDvR6w3jUPA Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Dec 02, 2002 at 01:58:09PM +0200, Peter Pentchev wrote: > Hi, >=20 > As noted on the vuln-dev list recently, the diskpart(1) program in > -stable is susceptible to a buffer overflow in the parsing of > command-line arguments. This is a low-risk problem, since diskpart(1) > is not - and has never been, and has no reason to ever be - a privileged > program, but still, there should be no harm in fixing it :) >=20 > Attached are two patches: a trivial one which just fixes up two problems > in diskpart's argument parsing, and a more complex one, which does it > "the right way" IMHO, using getopt(3). >=20 > Comments? And a comment from myself: of course it would have been way better if I had actually attached the patches... G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If I were you, who would be reading this sentence? --JcvBIhDvR6w3jUPA Content-Type: text/plain; charset=windows-1251 Content-Disposition: attachment; filename="diskpart-trivial.patch" Content-Transfer-Encoding: quoted-printable Index: src/usr.sbin/diskpart/diskpart.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/usr.sbin/diskpart/Attic/diskpart.c,v retrieving revision 1.11.2.1 diff -u -r1.11.2.1 diskpart.c --- src/usr.sbin/diskpart/diskpart.c 7 Jan 2002 06:00:23 -0000 1.11.2.1 +++ src/usr.sbin/diskpart/diskpart.c 2 Dec 2002 11:32:58 -0000 @@ -128,8 +128,6 @@ char *lp, *tyname; =20 argc--, argv++; - if (argc < 1) - usage(); if (argc > 0 && strcmp(*argv, "-p") =3D=3D 0) { pflag++; argc--, argv++; @@ -140,8 +138,10 @@ } if (argc > 1 && strcmp(*argv, "-s") =3D=3D 0) { totsize =3D atoi(argv[1]); - argc +=3D 2, argv +=3D 2; + argc -=3D 2, argv +=3D 2; } + if (argc < 1) + usage(); dp =3D getdiskbyname(*argv); if (dp =3D=3D NULL) { if (isatty(0)) --JcvBIhDvR6w3jUPA Content-Type: text/plain; charset=windows-1251 Content-Disposition: attachment; filename="usr.sbin-diskpart.patch" Content-Transfer-Encoding: quoted-printable Index: src/usr.sbin/diskpart/diskpart.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/usr.sbin/diskpart/Attic/diskpart.c,v retrieving revision 1.11.2.1 diff -u -r1.11.2.1 diskpart.c --- src/usr.sbin/diskpart/diskpart.c 7 Jan 2002 06:00:23 -0000 1.11.2.1 +++ src/usr.sbin/diskpart/diskpart.c 20 Nov 2002 15:14:46 -0000 @@ -55,6 +55,7 @@ #include #include #include +#include =20 #define for_now /* show all of `c' partition for disklabel */ #define NPARTITIONS 8 @@ -126,22 +127,30 @@ int threshhold, numcyls[NPARTITIONS], startcyl[NPARTITIONS]; int totsize =3D 0; char *lp, *tyname; + int ch; =20 - argc--, argv++; + while ((ch =3D getopt(argc, argv, "dps:")) !=3D EOF) + switch (ch) { + case 'd': + dflag++; + if (pflag) + usage(); + break; + =09 + case 'p': + if (dflag) + usage(); + pflag++; + break; + + case 's': + totsize =3D atoi(optarg); + break; + } + argc -=3D optind; + argv +=3D optind; if (argc < 1) usage(); - if (argc > 0 && strcmp(*argv, "-p") =3D=3D 0) { - pflag++; - argc--, argv++; - } - if (argc > 0 && strcmp(*argv, "-d") =3D=3D 0) { - dflag++; - argc--, argv++; - } - if (argc > 1 && strcmp(*argv, "-s") =3D=3D 0) { - totsize =3D atoi(argv[1]); - argc +=3D 2, argv +=3D 2; - } dp =3D getdiskbyname(*argv); if (dp =3D=3D NULL) { if (isatty(0)) --JcvBIhDvR6w3jUPA-- --pE2VAHO2njSJCslu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE961Be7Ri2jRYZRVMRAtfiAKC4Drmq+9vCG7rspKn9f9fBaT943QCfZGuJ y/X50BhA3AL1Kl5IPXZvEJ0= =wZHz -----END PGP SIGNATURE----- --pE2VAHO2njSJCslu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message