Date: Sun, 2 Mar 2003 18:16:22 +0100 (CET) From: Peter A Jonsson <pj@ludd.luth.se> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/48844: Missing error checks in gzprintf. Message-ID: <200303021716.h22HGMFt010661@skalman.campus.luth.se>
next in thread | raw e-mail | index | archive | help
>Number: 48844
>Category: bin
>Synopsis: Missing error checks in gzprintf.
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Mar 02 09:20:11 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Peter A Jonsson
>Release: FreeBSD 5.0-CURRENT i386
>Organization:
none.
>Environment:
System: FreeBSD skalman.campus.luth.se 5.0-CURRENT FreeBSD 5.0-CURRENT #9: Fri Feb 28 18:06:40 CET 2003 pantzer@skalman.campus.luth.se:/usr/obj/usr/src/sys/SKALMAN i386
>Description:
In src/lib/libz/gzio.c the function gzprintf does not check if the
amount of bytes (supposed to be) written by vsnprintf exceeds the
size of the buffer.
>How-To-Repeat:
N/A
>Fix:
From OpenBSD:
Index: gzio.c
===================================================================
RCS file: /home/ncvs/src/lib/libz/gzio.c,v
retrieving revision 1.8
diff -u -r1.8 gzio.c
--- gzio.c 11 Mar 2002 22:36:26 -0000 1.8
+++ gzio.c 2 Mar 2003 17:05:48 -0000
@@ -531,13 +531,13 @@
va_start(va, format);
#ifdef HAS_vsnprintf
- (void)vsnprintf(buf, sizeof(buf), format, va);
+ len = vsnprintf(buf, sizeof(buf), format, va);
#else
(void)vsprintf(buf, format, va);
+ len = strlen(buf); /* some *sprintf don't return the nb of bytes written */
#endif
va_end(va);
- len = strlen(buf); /* some *sprintf don't return the nb of bytes written */
- if (len <= 0) return 0;
+ if (len <= 0 || len >= sizeof(buf)) return 0;
return gzwrite(file, buf, (unsigned)len);
}
@@ -554,14 +554,14 @@
int len;
#ifdef HAS_snprintf
- snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8,
+ len = snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8,
a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
#else
sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8,
a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
-#endif
len = strlen(buf); /* old sprintf doesn't return the nb of bytes written */
- if (len <= 0) return 0;
+#endif
+ if (len <= 0 || len >= sizeof(buf)) return 0;
return gzwrite(file, buf, len);
}
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200303021716.h22HGMFt010661>