Date: Fri, 24 Jul 1998 01:51:18 -0700 (PDT) From: bonga@doxx.net To: freebsd-gnats-submit@FreeBSD.ORG Subject: ports/7387: the libslang-1.2.2 seems to have a minor buffer overflow in it ... Message-ID: <199807240851.BAA21771@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 7387
>Category: ports
>Synopsis: the libslang-1.2.2 seems to have a minor buffer overflow in it ...
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jul 24 02:00:01 PDT 1998
>Last-Modified:
>Originator: saad
>Organization:
n/a
>Release: 2.2.6
>Environment:
FreeBSD patla.webbernet.net 2.2.6-RELEASE FreeBSD 2.2.6-RELEASE #0: Mon Jul 20 02:39:31 EDT 1998 root@patla.webbernet.net:/usr/src.1/sys/compile/GENERIC i386
>Description:
/usr/ports/devel/libslang/work/slang/src/sltermin.c:
char *tidir;
char *term; /* passed into the function ... */
char file[1024];
275 if ((tidir != NULL)
276 && (sizeof (file) > strlen (tidir) + 2 + strlen (term)))
277 {
278 sprintf (file, "%s/%c/%s", tidir, *term, term);
>How-To-Repeat:
if the two strings in question are of combined length of 1021,
1021 + 2 would fullfil the less-than 1024 (sizeof(file)) length.
but when sprinting more than three extra characters apart from these
strings are required
these would be '/', %c, '/' _AND_ the ending NULL character, which
seems to be pushed into somethings elses memory space
>Fix:
either of these two should work:
either:
1. use snprintf instead of sprintf so that the NULL char doesn't
overwrite anything even tho it might concatenate the string by one
character
or:
2. converting line 276 to:
&& (sizeof (file) > strlen (tidir) + 3 + strlen (term)))
^^^
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807240851.BAA21771>