Date: Thu, 19 Apr 2001 16:42:39 -0400 (EDT) From: Rob Simmons <rsimmons@wlcg.com> To: "D. K." <dk@homepage.ru> Cc: <security@FreeBSD.ORG> Subject: Re: FreeBSD grow bug Message-ID: <20010419164112.C72854-100000@mail.wlcg.com> In-Reply-To: <3ADF4DD0.17AB0F64@homepage.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 That has been fixed since 4.2-RELEASE. Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 20 Apr 2001, D. K. wrote: > Hello All! > > I played with format string in *printf functions > and have found bug in libc library on my FreeBSD 4.2-RELEASE > machine. > > The bug is in the /usr/src/lib/libc/stdio/vfprintf.c source, > in function __grow_type_table, which is used by function > vfprintf. The first parameter of the memset function is > incorrectly counted up. All *printf functions which use > vfprintf have this error. > > Test example: > ===beg test.c=== > #include <stdio.h> > > int main(int argc, char *argv) { > printf("%7$x\n", 1, 2, 3, 4, 5, 6, 7); > printf("%8$x\n", 1, 2, 3, 4, 5, 6, 7, 8); > printf("no grow bug\n"); > return 0; > } > ===end test.c=== > > Results: > # ./test > 7 > Segmentation fault (core dumped) > > If you have seen the eight it means that your system > has no this bug. > > The error appears when the parameter after % more than seven. > > Quick patch: > ===beg grow_patch=== > --- vfprintf.c.old Sat Aug 28 04:01:20 1999 > +++ vfprintf.c Thu Apr 19 22:16:19 2001 > @@ -1191,7 +1191,7 @@ > reallocf (typetable, sizeof (unsigned char) * newsize); > > } > - memset (&typetable [*tablesize], T_UNUSED, (newsize - *tablesize)); > + memset (*typetable + *tablesize, T_UNUSED, (newsize - *tablesize)); > > *tablesize = newsize; > } > ===end grow_patch=== > > > Best Regards, > Dmitry Kopteloff > --- > LG Soft Lab. > Information Security Group, RUSSIA > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6303Ev8Bofna59hYRA9gxAKCYvnJ3ca8N7ZskTfzx6ViknZWwCQCgvpDK idd2LjNLtUqHqjcsX0IKa0A= =/OWA -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010419164112.C72854-100000>