Subject: bin/5437: possible buffer overflow in "uux"
To: None <gnats-bugs@gnats.netbsd.org>
From: Matthias Scheler <tron@lyssa.owl.de>
List: netbsd-bugs
Date: 05/11/1998 02:22:48
>Number:         5437
>Category:       bin
>Synopsis:       possible buffer overflow in "uux"
>Confidential:   yes
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun May 10 17:35:01 1998
>Last-Modified:
>Originator:     Matthias Scheler
>Organization:
Matthias Scheler                                http://home.owl.de/~tron/
>Release:        980509
>Environment:
System: NetBSD lyssa 1.3E NetBSD 1.3E (LYSSA) #0: Mon May 4 10:41:43 MEST 1998 tron@lyssa:/src/src/sys/arch/i386/compile/LYSSA i386


>Description:
In "src/gnu/libexec/uucp/uux/uux.c" arround line 535 a string is copied
into a buffer which is one byte to small:
       else
        {
          clen = zexclam - zcmd;
          zforward = zbufalc (clen);
          memcpy (zforward, zcmd, clen);
          zforward[clen] = '\0';
                   ^^^^
          One byte behind allocated area.

          zcmd = zexclam + 1;
        }

>How-To-Repeat:
Requires very complex UUCP setup to reproduce, better read the source.

>Fix:
--- src/gnu/libexec/uucp/uux/uux.c.orig	Sat Oct 14 01:11:27 1995
+++ src/gnu/libexec/uucp/uux/uux.c	Mon May 11 01:37:54 1998
@@ -532,7 +532,7 @@
       else
 	{
 	  clen = zexclam - zcmd;
-	  zforward = zbufalc (clen);
+	  zforward = zbufalc (clen + 1);
 	  memcpy (zforward, zcmd, clen);
 	  zforward[clen] = '\0';
 	  zcmd = zexclam + 1;

>Audit-Trail:
>Unformatted: