Date: Thu, 23 Nov 2000 19:45:22 -0500 (EST) From: patrick@mindstep.com To: FreeBSD-gnats-submit@freebsd.org Subject: kern/23057: the kernel config utility crashes with large path Message-ID: <20001124004522.1A7322703C6@nitro>
next in thread | raw e-mail | index | archive | help
>Number: 23057
>Category: kern
>Synopsis: the kernel config utility crashes with large path
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Nov 23 16:50:00 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: Patrick Bihan-Faou
>Release: FreeBSD 4.1.1-STABLE i386
>Organization:
MindStep Corporation
>Environment:
Up-to-date source code from the 4-STABLE branch (cvs co as of Nov, 22)
>Description:
The config utility used to configure a customized kernel can not accept
long path names as arguments. Many internal variables are not sized properly
(usually 80 characters !!!), and unsafe string copies are performed all
over the place.
>How-To-Repeat:
config -d /a/path/obviously/longer/than/80/characters/which/can/happen/easily/if/you/keep/your/source/in/a/non/standard/directory/src/sys/KERNELNAME KERNELNAME
will provoke the appropriate crash.
>Fix:
The following set of patches for /usr/sbin/config fix a bunch of unsafe
string manipulations and size the variables containing path to be
MAXPATHLEN long.
--- main.c.orig
+++ main.c
@@ -98,7 +98,7 @@
switch (ch) {
case 'd':
if (*destdir == '\0')
- strcpy(destdir, optarg);
+ strncpy(destdir, optarg, sizeof(destdir));
else
errx(2, "directory already set");
break;
@@ -135,8 +135,8 @@
destdir[--len] = '\0';
get_srcdir();
} else {
- strcpy(destdir, CDIR);
- strcat(destdir, PREFIX);
+ strncpy(destdir, CDIR, sizeof(destdir));
+ strncat(destdir, PREFIX, sizeof(destdir)-strlen(destdir));
}
p = path((char *)NULL);
@@ -183,7 +183,7 @@
* and similarly for "machine".
*/
{
- char xxx[80];
+ char xxx[MAXPATHLEN];
if (*srcdir == '\0')
(void)snprintf(xxx, sizeof(xxx), "../../%s/include",
machinename);
--- mkheaders.c.orig
+++ mkheaders.c
@@ -43,6 +43,7 @@
* Make all the .h files for the optional entries
*/
+#include <sys/param.h>
#include <ctype.h>
#include <err.h>
#include <stdio.h>
@@ -220,10 +221,10 @@
toheader(dev)
char *dev;
{
- static char hbuf[80];
+ static char hbuf[MAXPATHLEN];
- (void) strcpy(hbuf, path(dev));
- (void) strcat(hbuf, ".h");
+ (void) strncpy(hbuf, path(dev), sizeof(hbuf));
+ (void) strncat(hbuf, ".h", sizeof(hbuf)-strlen(hbuf));
return (hbuf);
}
--- mkmakefile.c.orig
+++ mkmakefile.c
@@ -45,6 +45,7 @@
* additional files for the machine being compiled to.
*/
+#include <sys/param.h>
#include <ctype.h>
#include <err.h>
#include <stdio.h>
@@ -232,7 +233,7 @@
struct device *save_dp;
register struct opt *op;
char *wd, *this, *needs, *special, *depends, *clean, *warn;
- char fname[80];
+ char fname[MAXPATHLEN];
int ddwarned = 0;
int nreqs, first = 1, configdep, isdup, std, filetype,
imp_rule, no_obj, before_depend, mandatory;
--- mkoptions.c.orig
+++ mkoptions.c
@@ -44,6 +44,7 @@
* Make all the .h files for the optional entries
*/
+#include <sys/param.h>
#include <ctype.h>
#include <err.h>
#include <stdio.h>
@@ -275,21 +276,21 @@
tooption(name)
char *name;
{
- static char hbuf[80];
- char nbuf[80];
+ static char hbuf[MAXPATHLEN];
+ char nbuf[MAXPATHLEN];
struct opt_list *po;
/* "cannot happen"? the otab list should be complete.. */
- (void) strcpy(nbuf, "options.h");
+ (void) strncpy(nbuf, "options.h", sizeof(nbuf));
for (po = otab ; po != 0; po = po->o_next) {
if (eq(po->o_name, name)) {
- strcpy(nbuf, po->o_file);
+ strncpy(nbuf, po->o_file, sizeof(nbuf));
break;
}
}
- (void) strcpy(hbuf, path(nbuf));
+ (void) strncpy(hbuf, path(nbuf), sizeof(nbuf));
return (hbuf);
}
@@ -300,7 +301,7 @@
read_options()
{
FILE *fp;
- char fname[80];
+ char fname[MAXPATHLEN];
char *wd, *this, *val;
struct opt_list *po;
int first = 1;
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001124004522.1A7322703C6>