Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 11 Dec 2001 23:18:54 -0500 (EST)
From:      Mike Heffner <mheffner@vt.edu>
To:        freebsd-gnats-submit@freebsd.org
Cc:        Marc Olzheim <marcolz@ilse.nl>, FreeBSD-bugs <freebsd-bugs@freebsd.org>
Subject:   Re: bin/19422: users can overflow argv to make ps segfault
Message-ID:  <XFMail.20011211231854.mheffner@vt.edu>
next in thread | raw e-mail | index | archive | help 
This message is in MIME format
--_=XFMail.1.5.2.FreeBSD:20011211231854:24503=_
Content-Type: text/plain; charset=us-ascii


Well, I've looked at this a little more. I was able to reproduce it (it
took a few times though). Unfortunately, the patch isn't as simple as the
one in the PR. Could you please try the attached patch? There is still a
problem though, and that is that the strlen()s can seg. fault if the
argv[] strings aren't NULL terminated - I don't know how to fix this
problem though :(

Mike

-- 
  Mike Heffner     <mheffner@[acm.]vt.edu>
  Blacksburg, VA       <mikeh@FreeBSD.org>


--_=XFMail.1.5.2.FreeBSD:20011211231854:24503=_
Content-Disposition: attachment; filename="ps.argoflow.diff"
Content-Transfer-Encoding: 7bit
Content-Description: ps.argoflow.diff
Content-Type: text/plain;
 charset=us-ascii; name=ps.argoflow.diff; SizeOnDisk=908

Index: fmt.c
===================================================================
RCS file: /home/ncvs/src/bin/ps/fmt.c,v
retrieving revision 1.14
diff -u -r1.14 fmt.c
--- fmt.c	27 Aug 1999 23:14:51 -0000	1.14
+++ fmt.c	12 Dec 2001 04:12:24 -0000
@@ -61,7 +61,8 @@
 shquote(argv)
 	char **argv;
 {
-	long arg_max;
+	static long arg_max = -1;
+	long len;
 	char **p, *dst, *src;
 	static char *buf = NULL;
 
@@ -80,13 +81,16 @@
 	for (p = argv; (src = *p++) != 0; ) {
 		if (*src == 0)
 			continue;
-		strvis(dst, src, VIS_NL | VIS_CSTYLE);
+		len = (4 * arg_max - (dst - buf)) / 4;
+		strvisx(dst, src, strlen(src) < len ? strlen(src) : len,
+		    VIS_NL | VIS_CSTYLE);
 		while (*dst)
 			dst++;
-		*dst++ = ' ';
+		if ((4 * arg_max - (dst - buf)) / 4 > 0)
+			*dst++ = ' ';
 	}
 	/* Chop off trailing space */
-	if (dst != buf)
+	if (dst != buf && dst[-1] == ' ')
 		dst--;
 	*dst = '\0';
 	return (buf);

--_=XFMail.1.5.2.FreeBSD:20011211231854:24503=_--
End of MIME message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.20011211231854.mheffner>