From owner-freebsd-bugs  Thu Jan 27 22:10: 5 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id BB5AB159B6
	for <freebsd-bugs@FreeBSD.org>; Thu, 27 Jan 2000 22:10:02 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id WAA30425;
	Thu, 27 Jan 2000 22:10:02 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from celery.dragondata.com (celery.dragondata.com [205.253.12.6])
	by hub.freebsd.org (Postfix) with ESMTP id A80CB14C16
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 27 Jan 2000 22:05:20 -0800 (PST)
	(envelope-from toasty@celery.dragondata.com)
Received: (from root@localhost)
	by celery.dragondata.com (8.9.3/8.9.3) id AAA83141;
	Fri, 28 Jan 2000 00:05:11 -0600 (CST)
	(envelope-from toasty)
Message-Id: <200001280605.AAA83141@celery.dragondata.com>
Date: Fri, 28 Jan 2000 00:05:11 -0600 (CST)
From: Kevin Day <toasty@dragondata.com>
Reply-To: toasty@dragondata.com
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: bin/16415: Buffer overflow in procctl(8)
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         16415
>Category:       bin
>Synopsis:       Buffer overflow in procctl(8)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 27 22:10:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Kevin Day
>Release:        FreeBSD 3.4-STABLE i386
>Organization:
DragonData Internet Services
>Environment:

Any FreeBSD system

>Description:

Procctl has a simple buffer overflow. It's not suid, so I wouldn't consider
this a security problem.

>How-To-Repeat:

su-2.03# procctl 22348723894723984728974892748923894729834728934798273489273498274
Segmentation fault (core dumped)

>Fix:
	
--- procctl.c   Thu Jan 27 23:55:57 2000
+++ procctl.c   Thu Jan 27 23:56:57 2000
@@ -63,7 +63,7 @@
   for (i = 1; i < ac; i++) {
     char buf[32];

-    sprintf(buf, "/proc/%s/mem", av[i]);
+    snprintf(buf, sizeof(buf), "/proc/%s/mem", av[i]);
     fd = open(buf, O_RDWR);
     if (fd == -1) {
       if (errno == ENOENT)


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message