Date: Fri, 22 Oct 1999 19:31:15 +0100 From: Tony Finch <fanf@demon.net> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/14465: vipw has dodgy string handling Message-ID: <E11ejT9-0005Sg-00@fanf.eng.demon.net>
next in thread | raw e-mail | index | archive | help
>Number: 14465 >Category: bin >Synopsis: vipw depends upon malloc() returning zero-filled memory >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Oct 23 06:47:19 PDT 1999 >Closed-Date: >Last-Modified: >Originator: Tony Finch >Release: FreeBSD 3.3-STABLE-19990927 i386 >Organization: Demon Internet Ltd >Environment: FreeBSD fanf.eng.demon.net 3.3-STABLE-19990927 FreeBSD 3.3-STABLE-19990927 #14: Mon Sep 27 02:50:55 BST 1999 root@fanf.eng.demon.net:/usr/src/sys/compile/DELL-PREC410 i386 >Description: If vipw is invoked like `vipw -d /some/directory/not/ending/in/slash` then it replaces the terminating '\0' with '/' before calling strcat. This would cause heap corruption if malloc() didn't happen to return a block of zeroes. >How-To-Repeat: >Fix: --- /usr/src/usr.sbin/vipw/vipw.c.orig Fri Oct 22 19:24:51 1999 +++ /usr/src/usr.sbin/vipw/vipw.c Fri Oct 22 19:25:51 1999 @@ -81,8 +81,9 @@ err(1, NULL); strcpy(masterpasswd, optarg); if (masterpasswd[strlen(masterpasswd) - 1] != '/') - masterpasswd[strlen(masterpasswd)] = '/'; - strcat(masterpasswd, _MASTERPASSWD); + strcat(masterpasswd, "/" _MASTERPASSWD); + else + strcat(masterpasswd, _MASTERPASSWD); if ((mppath = strdup(optarg)) == NULL) err(1, NULL); if (mppath[strlen(mppath) - 1] == '/') >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E11ejT9-0005Sg-00>