Date: Wed, 10 Jul 2019 18:43:41 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Warner Losh <imp@bsdimp.com> Cc: Justin Hibbits <chmeeedalf@gmail.com>, Philip Paeps <philip@freebsd.org>, src-committers <src-committers@freebsd.org>, svn-src-all <svn-src-all@freebsd.org>, svn-src-head <svn-src-head@freebsd.org> Subject: Re: svn commit: r349890 - head/contrib/telnet/telnet Message-ID: <20190710224341.i3rbhapmpdw6gkbd@mutt-hbsd> In-Reply-To: <CANCZdfoDR9UTU3opp%2BA=WSgioJH3LJ4Je1AjQHDTAt%2Byni3NWQ@mail.gmail.com> References: <201907101742.x6AHg4os016752@repo.freebsd.org> <20190710195548.kdftfemj3icarcxo@mutt-hbsd> <20190710151944.0fd94ec3@titan.knownspace> <20190710202218.yc3lcd6tsql3zkyr@mutt-hbsd> <20190710222918.vj4creizlubdzgw3@mutt-hbsd> <CANCZdfoDR9UTU3opp%2BA=WSgioJH3LJ4Je1AjQHDTAt%2Byni3NWQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--ac2c4ewsv4bdieh7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jul 10, 2019 at 04:40:25PM -0600, Warner Losh wrote: > On Wed, Jul 10, 2019 at 4:29 PM Shawn Webb <shawn.webb@hardenedbsd.org> > wrote: >=20 > > On Wed, Jul 10, 2019 at 04:22:18PM -0400, Shawn Webb wrote: > > > On Wed, Jul 10, 2019 at 03:19:44PM -0500, Justin Hibbits wrote: > > > > On Wed, 10 Jul 2019 15:55:48 -0400 > > > > Shawn Webb <shawn.webb@hardenedbsd.org> wrote: > > > > > > > > > On Wed, Jul 10, 2019 at 05:42:04PM +0000, Philip Paeps wrote: > > > > > > Author: philip > > > > > > Date: Wed Jul 10 17:42:04 2019 > > > > > > New Revision: 349890 > > > > > > URL: https://svnweb.freebsd.org/changeset/base/349890 > > > > > > > > > > > > Log: > > > > > > telnet: fix a couple of snprintf() buffer overflows > > > > > > > > > > > > Obtained from: Juniper Networks > > > > > > MFC after: 1 week > > > > > > > > > > > > Modified: > > > > > > head/contrib/telnet/telnet/commands.c > > > > > > head/contrib/telnet/telnet/telnet.c > > > > > > head/contrib/telnet/telnet/utilities.c > > > > > > > > > > > > Modified: head/contrib/telnet/telnet/commands.c > > > > > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D > > > > > > --- head/contrib/telnet/telnet/commands.c Wed Jul 10 > > > > > > 17:21:59 2019 (r349889) +++ > > > > > > head/contrib/telnet/telnet/commands.c Wed Jul 10 17:42:04 > > > > > > 2019 (r349890) @@ -1655,10 +1655,11 @@ env_init(void) char > > > > > > hbuf[256+1]; char *cp2 =3D strchr((char *)ep->value, ':'); > > > > > > > > > > > > - gethostname(hbuf, 256); > > > > > > - hbuf[256] =3D '\0'; > > > > > > - cp =3D (char *)malloc(strlen(hbuf) + strlen(cp2= ) + > > > > > > 1); > > > > > > - sprintf((char *)cp, "%s%s", hbuf, cp2); > > > > > > + gethostname(hbuf, sizeof(hbuf)); > > > > > > + hbuf[sizeof(hbuf)-1] =3D '\0'; > > > > > > + unsigned int buflen =3D strlen(hbuf) + strlen(= cp2) + > > > > > > 1; > > > > > > > > > > buflen should be defined with the rest of the variables in the co= de > > > > > block above this one. > > > > > > > > Agreed. > > > > > > > > > > > > > > > + cp =3D (char *)malloc(sizeof(char)*buflen); > > > > > > > > > > Lack of NULL check here leads to > > > > > > > > > > > + snprintf((char *)cp, buflen, "%s%s", hbuf, cp2); > > > > > > > > > > potential NULL pointer deref here. > > > > > > > > I'm not sure if this is actually a problem. env_init() is called > > > > exactly once, at the beginning of main(), and the environment size = is > > > > fully constrained by the OS. > > > > > > > > That said, this file it the only one in this component that does not > > > > check the return value of malloc(). All other uses, outside of this > > > > file, check and error. > > > > > > While fixing the style(9) violation above, we could still take care of > > > the potential NULL deref at the same time. If anything, just for code > > > correctness reasons? > > > > Here's a patch: > > > > https://gist.github.com/579685c0252673c3ad92d2536c3486c7 >=20 >=20 > Any reason to not use asprintf instead of malloc + snprintf? Because the existing code already used malloc + snprintf. And this is contrib/telnet/telnet, which arguably should be `rm -rf`ed. ;) The bike shed is now glow-in-the-dark neon green. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 --ac2c4ewsv4bdieh7 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAl0mahcACgkQ/y5nonf4 4fr/jA//RimSOU70RBT1Nd1RxIDlTLZGfwXvN8F8SL3OW+H2FhP+J0UvCzNghszj 8ox5RnWFsZa2WZckTd3zz3FSqUvt5WjNWD1JLSvCBJtTg4alfLkP6MUmCwVeHM/I JZVaOCzHcTr0W+hIq/QrkVcPMZJEm78INuDtn8rRtqp01foh5Wtea0hB5xaPC+DG CIvT2fhOue0eRkKSpc6xaeOSvaH3xHoOWLHRMniY4Moy3EoPpgRL/99ID+0ihaOA 4iD/ynMbJH9ClaKtkjgYi3Zy75vbmF+oNCMIIdHbG9+O0djtJ+xdJkXIzD1XIqoA YbUPE54svJ/Lk5jHKMtF+6b6bAdVbOGOrTedPTKW0y6CEIfB7KWz1dCYtNwltKQG /728n1AP6xQjySy8T5NwxSb7bQyC+FD0OeBOK4kgBSWQQIGonBKFCh4IswPP4RBk x8kShM5ILAClMhSZHYXMCoQEAY6Ia0zlRf2pAvYf08aGcNtsc0Qrg8X4ShHdBFEG 3SXNii9O7ikKNOl4oWOSISiXprzSTEm84OzJ3BiEdfl6QVqkipUrYmfm5lL3ZyI8 XSFjzlZ8hTwZ/KXtV/O46q+ZD/9BN35qIN1Jo+33P3tZ2h4ZEcf44ygDgstkGwel pdw3HTjvTDSWyUCY1NNhdiMqGvDm5nlQIPC0HeyUtjKMDK0GIAE= =j5EO -----END PGP SIGNATURE----- --ac2c4ewsv4bdieh7--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190710224341.i3rbhapmpdw6gkbd>