Date: Sun, 2 Mar 2003 18:16:22 +0100 (CET) From: Peter A Jonsson <pj@ludd.luth.se> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/48844: Missing error checks in gzprintf. Message-ID: <200303021716.h22HGMFt010661@skalman.campus.luth.se>
next in thread | raw e-mail | index | archive | help
>Number: 48844 >Category: bin >Synopsis: Missing error checks in gzprintf. >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Mar 02 09:20:11 PST 2003 >Closed-Date: >Last-Modified: >Originator: Peter A Jonsson >Release: FreeBSD 5.0-CURRENT i386 >Organization: none. >Environment: System: FreeBSD skalman.campus.luth.se 5.0-CURRENT FreeBSD 5.0-CURRENT #9: Fri Feb 28 18:06:40 CET 2003 pantzer@skalman.campus.luth.se:/usr/obj/usr/src/sys/SKALMAN i386 >Description: In src/lib/libz/gzio.c the function gzprintf does not check if the amount of bytes (supposed to be) written by vsnprintf exceeds the size of the buffer. >How-To-Repeat: N/A >Fix: From OpenBSD: Index: gzio.c =================================================================== RCS file: /home/ncvs/src/lib/libz/gzio.c,v retrieving revision 1.8 diff -u -r1.8 gzio.c --- gzio.c 11 Mar 2002 22:36:26 -0000 1.8 +++ gzio.c 2 Mar 2003 17:05:48 -0000 @@ -531,13 +531,13 @@ va_start(va, format); #ifdef HAS_vsnprintf - (void)vsnprintf(buf, sizeof(buf), format, va); + len = vsnprintf(buf, sizeof(buf), format, va); #else (void)vsprintf(buf, format, va); + len = strlen(buf); /* some *sprintf don't return the nb of bytes written */ #endif va_end(va); - len = strlen(buf); /* some *sprintf don't return the nb of bytes written */ - if (len <= 0) return 0; + if (len <= 0 || len >= sizeof(buf)) return 0; return gzwrite(file, buf, (unsigned)len); } @@ -554,14 +554,14 @@ int len; #ifdef HAS_snprintf - snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8, + len = snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20); #else sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20); -#endif len = strlen(buf); /* old sprintf doesn't return the nb of bytes written */ - if (len <= 0) return 0; +#endif + if (len <= 0 || len >= sizeof(buf)) return 0; return gzwrite(file, buf, len); } >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200303021716.h22HGMFt010661>