From owner-freebsd-bugs  Fri Jan 12 11:10:19 2001
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id DEAFE37B69B
	for <freebsd-bugs@hub.freebsd.org>; Fri, 12 Jan 2001 11:10:01 -0800 (PST)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f0CJA1L82660;
	Fri, 12 Jan 2001 11:10:01 -0800 (PST)
	(envelope-from gnats)
Received: from hand.dotat.at (sfo-gw.covalent.net [207.44.198.62])
	by hub.freebsd.org (Postfix) with ESMTP id DB48437B401
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 12 Jan 2001 11:02:52 -0800 (PST)
Received: from fanf by hand.dotat.at with local (Exim 3.15 #3)
	id 14H9Sb-000GKE-00
	for FreeBSD-gnats-submit@freebsd.org; Fri, 12 Jan 2001 19:02:01 +0000
Message-Id: <E14H9Sb-000GKE-00@hand.dotat.at>
Date: Fri, 12 Jan 2001 19:02:01 +0000
From: Tony Finch <dot@dotat.at>
Reply-To: Tony Finch <dot@dotat.at>
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: bin/24278: strlcat may read from inaccessible memory
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         24278
>Category:       bin
>Synopsis:       strlcat may read from inaccessible memory
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 12 11:10:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Tony Finch
>Release:        FreeBSD 4.2-BETA-20001113 i386
>Organization:
Covalent Technologies, Inc.
>Environment:

FreeBSD hand.dotat.at 4.2-BETA-20001113 FreeBSD 4.2-BETA-20001113 #0: Tue Nov 14 00:42:35 UTC 2000     fanf@hand.dotat.at:/FreeBSD/obj/FreeBSD/releng4/sys/DELL-Latitude-CPx  i386

The problem appears to exist in all versions of strlcat

>Description:

If the buffer size passed to strlcat is zero then it still reads a byte from
the destination buffer when working out its length. This can cause the
program to crash if the destination pointer is just after the end of a
malloced buffer, for example.

This problem was discovered by Richard Kettlewell <rjk@greenend.org.uk>

>How-To-Repeat:

strlcat(0, "foo", 0);

>Fix:

Index: strlcat.c
===================================================================
RCS file: /home/ncvs/src/lib/libc/string/strlcat.c,v
retrieving revision 1.2
diff -u -r1.2 strlcat.c
--- strlcat.c	1999/08/10 05:58:57	1.2
+++ strlcat.c	2001/01/12 18:48:35
@@ -51,7 +51,7 @@
 	size_t dlen;
 
 	/* Find the end of dst and adjust bytes left but don't go past end */
-	while (*d != '\0' && n-- != 0)
+	while (n-- != 0 && *d != '\0')
 		d++;
 	dlen = d - dst;
 	n = siz - dlen;

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message