Date: Wed, 10 Jul 2019 16:22:18 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Justin Hibbits <chmeeedalf@gmail.com> Cc: Philip Paeps <philip@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r349890 - head/contrib/telnet/telnet Message-ID: <20190710202218.yc3lcd6tsql3zkyr@mutt-hbsd> In-Reply-To: <20190710151944.0fd94ec3@titan.knownspace> References: <201907101742.x6AHg4os016752@repo.freebsd.org> <20190710195548.kdftfemj3icarcxo@mutt-hbsd> <20190710151944.0fd94ec3@titan.knownspace>
next in thread | previous in thread | raw e-mail | index | archive | help
--amaqwuyn6xpvcs6j Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jul 10, 2019 at 03:19:44PM -0500, Justin Hibbits wrote: > On Wed, 10 Jul 2019 15:55:48 -0400 > Shawn Webb <shawn.webb@hardenedbsd.org> wrote: >=20 > > On Wed, Jul 10, 2019 at 05:42:04PM +0000, Philip Paeps wrote: > > > Author: philip > > > Date: Wed Jul 10 17:42:04 2019 > > > New Revision: 349890 > > > URL: https://svnweb.freebsd.org/changeset/base/349890 > > >=20 > > > Log: > > > telnet: fix a couple of snprintf() buffer overflows > > > =20 > > > Obtained from: Juniper Networks > > > MFC after: 1 week > > >=20 > > > Modified: > > > head/contrib/telnet/telnet/commands.c > > > head/contrib/telnet/telnet/telnet.c > > > head/contrib/telnet/telnet/utilities.c > > >=20 > > > Modified: head/contrib/telnet/telnet/commands.c > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D > > > --- head/contrib/telnet/telnet/commands.c Wed Jul 10 > > > 17:21:59 2019 (r349889) +++ > > > head/contrib/telnet/telnet/commands.c Wed Jul 10 17:42:04 > > > 2019 (r349890) @@ -1655,10 +1655,11 @@ env_init(void) char > > > hbuf[256+1]; char *cp2 =3D strchr((char *)ep->value, ':'); > > > =20 > > > - gethostname(hbuf, 256); > > > - hbuf[256] =3D '\0'; > > > - cp =3D (char *)malloc(strlen(hbuf) + strlen(cp2) + > > > 1); > > > - sprintf((char *)cp, "%s%s", hbuf, cp2); > > > + gethostname(hbuf, sizeof(hbuf)); > > > + hbuf[sizeof(hbuf)-1] =3D '\0'; > > > + unsigned int buflen =3D strlen(hbuf) + strlen(cp2) + > > > 1; =20 > >=20 > > buflen should be defined with the rest of the variables in the code > > block above this one. >=20 > Agreed. >=20 > >=20 > > > + cp =3D (char *)malloc(sizeof(char)*buflen); =20 > >=20 > > Lack of NULL check here leads to > >=20 > > > + snprintf((char *)cp, buflen, "%s%s", hbuf, cp2); =20 > >=20 > > potential NULL pointer deref here. >=20 > I'm not sure if this is actually a problem. env_init() is called > exactly once, at the beginning of main(), and the environment size is > fully constrained by the OS. >=20 > That said, this file it the only one in this component that does not > check the return value of malloc(). All other uses, outside of this > file, check and error. While fixing the style(9) violation above, we could still take care of the potential NULL deref at the same time. If anything, just for code correctness reasons? Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 --amaqwuyn6xpvcs6j Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAl0mSPUACgkQ/y5nonf4 4frvKBAAivH1YeBwZUNG74MEdAj1APyfWpZnoJ//ReAdq/KhULPB3r9KSx2kjj3K GOkigEDKoRYNgIEVAhKBG6oyI3BBdnJJfHdF4Kl+OfmB/ORuGuUQOjWA7ddcFYRH +09PsOTnKckD2NpthTf1/CDzLtmYERIl7v1b9okUb9s2df5jYZGFwBMoKcccA8fP GwZaqmOuc1tc3fALVRqi3Xd0jV4750g+pkE36ggfMxgo1srlBCc1L9jiNqOwYjiK 7a3ccsfqcJoG/hGqjcGPUzR2xtTYCZ8crMTXebhtXYq+qH1Djx9lZX14LQXroQLO EQSL53KdfP7ZzH/M+Zyp5p2xHX8MnHiuGmdr0smYpT9m6db9WDN0/tDfSN8/xdys qmWWHR7CjWIxWitwTPz2VMFRrf08i3f5PYyxn64IhUUE5tAHdThMtn0OZTrXVKRk WFFw994IX7zOucJogiJrhfeyhX+fKe1JjkIyGDigzZJwFxIfslm47YJzcmZMn124 z/WG2iO17rbtYaaCvRRJnEeUMmCHhKJSqbKw0r3j4ehpPEvjZqjLS1EKL9Hw9BoV vM2unh2GM/g9ygREf9dwKSBk5BxSHLb88g9dDgR9eb7ZAaTODWpH1Z0L78tm9uNf pdm2ag7zNkfjOvN906TV83OHGL4cH8dtnqNQU5QUTcrFBljIQOY= =WE9C -----END PGP SIGNATURE----- --amaqwuyn6xpvcs6j--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190710202218.yc3lcd6tsql3zkyr>