Date: Tue, 22 Feb 2000 22:00:24 -0800 (PST) From: spock@techfour.net To: freebsd-gnats-submit@FreeBSD.org Subject: bin/16926: [PATCH] banner doesn't allocate space for nul Message-ID: <200002230600.WAA62291@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 16926
>Category: bin
>Synopsis: [PATCH] banner doesn't allocate space for nul
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Feb 22 22:10:00 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: Mike Heffner
>Release: 4.0-current
>Organization:
>Environment:
FreeBSD 4.0-CURRENT #0: Sat Feb 19 20:05:45 EST 2000
>Description:
Banner doesn't allocate enough memory for the nul character. Banner
will seg fault if it's sent a string with any multiple of 4096
characters, because the nul ends up being written onto an unmapped
page. This patch was posted to -audit a few weeks ago.
>How-To-Repeat:
run banner with a multiple of 4096 character string
Ex: banner [4096]
>Fix:
apply the following patch and recompile.
Index: usr.bin/banner/banner.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/banner/banner.c,v
retrieving revision 1.7
diff -u -r1.7 banner.c
--- banner.c 1999/12/04 02:11:51 1.7
+++ banner.c 2000/02/02 16:15:08
@@ -1063,7 +1063,7 @@
/* Have now read in the data. Next get the message to be printed. */
if (*argv) {
for(i=0, j=0; i < argc; i++)
- j += strlen(argv[i]) + (i != 0);
+ j += strlen(argv[i]) + 1;
if ((message = malloc(j)) == NULL)
err(1, "malloc");
strcpy(message, *argv);
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200002230600.WAA62291>