Subject: bin/5437: possible buffer overflow in "uux"
To: None <gnats-bugs@gnats.netbsd.org>
From: Matthias Scheler <tron@lyssa.owl.de>
List: netbsd-bugs
Date: 05/11/1998 02:22:48
>Number: 5437
>Category: bin
>Synopsis: possible buffer overflow in "uux"
>Confidential: yes
>Severity: non-critical
>Priority: medium
>Responsible: bin-bug-people (Utility Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun May 10 17:35:01 1998
>Last-Modified:
>Originator: Matthias Scheler
>Organization:
Matthias Scheler http://home.owl.de/~tron/
>Release: 980509
>Environment:
System: NetBSD lyssa 1.3E NetBSD 1.3E (LYSSA) #0: Mon May 4 10:41:43 MEST 1998 tron@lyssa:/src/src/sys/arch/i386/compile/LYSSA i386
>Description:
In "src/gnu/libexec/uucp/uux/uux.c" arround line 535 a string is copied
into a buffer which is one byte to small:
else
{
clen = zexclam - zcmd;
zforward = zbufalc (clen);
memcpy (zforward, zcmd, clen);
zforward[clen] = '\0';
^^^^
One byte behind allocated area.
zcmd = zexclam + 1;
}
>How-To-Repeat:
Requires very complex UUCP setup to reproduce, better read the source.
>Fix:
--- src/gnu/libexec/uucp/uux/uux.c.orig Sat Oct 14 01:11:27 1995
+++ src/gnu/libexec/uucp/uux/uux.c Mon May 11 01:37:54 1998
@@ -532,7 +532,7 @@
else
{
clen = zexclam - zcmd;
- zforward = zbufalc (clen);
+ zforward = zbufalc (clen + 1);
memcpy (zforward, zcmd, clen);
zforward[clen] = '\0';
zcmd = zexclam + 1;
>Audit-Trail:
>Unformatted: