Date: Thu, 29 Oct 1998 17:05:48 -0800 (PST) From: Archie Cobbs <archie@whistle.com> To: hart@iserver.com (Paul Hart) Cc: archie@whistle.com, synk@swcp.com, freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: getpwnam() problem? Message-ID: <199810300105.RAA09541@bubba.whistle.com> In-Reply-To: <Pine.BSF.3.96.981029171524.6100F-100000@anchovy.orem.iserver.com> from Paul Hart at "Oct 29, 98 05:23:57 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Paul Hart writes: > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=8176 > > > > I've located the bug and supplied a patch in a followup... > > Very simple bug, someone please commit in 2.2 and 3.0. > > I'm running 2.2.7-RELEASE and the How-To-Repeat section in the PR above > lists: > > #include <stdio.h> > #include <sys/types.h> > #include <pwd.h> > > char zeename[] = "AVeryLongStringGoesHere"; > struct passwd *gunk; > > main() > { > gunk = getpwnam(zeename); > } > > as sample code to exercise the bug in getpwnam(). However, it seems to > have no affect. No SIGBUS or SIGSEGV that I can see. The patch in the PR > for /usr/src/lib/libc/gen/getpwent.c shows that I have (presumably) > vulnerable code at the diff location, but I don't seem to be experiencing > problems with it. Has anyone else noticed these symptoms? The sample program doesn't cause the bug. Try replacing "zeename" with a string of 12000 characters.. then you'll see it. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199810300105.RAA09541>