netbsd-bugs: lib/30833: Buffer overflow in lib/libc/gen/_

Subject: lib/30833: Buffer overflow in lib/libc/gen/__glob13.c
To: None <lib-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <tomska@packetfront.com>
List: netbsd-bugs
Date: 07/25/2005 14:48:00

>Number:         30833
>Category:       lib
>Synopsis:       Buffer overflow in lib/libc/gen/__glob13.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jul 25 14:48:00 +0000 2005
>Originator:     Tomas Skäre
>Release:        1.6
>Organization:
PacketFront
>Environment:
>Description:
Static code analysis run on NetBSD kernel showed an error in lib/libc/gen/__glob13.c. There is a possible buffer overflow in
glob1() (called from glob0, which is called from glob). It also
exists in current CVS head. 

On row 604:

return(glob2(pathbuf, pathbuf, pathbuf + sizeof(pathbuf) - 1, pattern,
             pglob, limit));

pathbuf is declared as:

Char pathbuf[MAXPATHLEN+1];

Where the type "Char" is u_short when DEBUG is not set. 

sizeof(pathbuf) therefore returns 2 * (MAXPATHLEN+1), and when this is applied in pointer arithmetics with pointers of the type Char (u_short) it will double once more (as it should), so "pathbuf + sizeof(pathbuf) - 1" will not point at the end of pathbuf but rather MAXPATHLEN further beyond it. 
>How-To-Repeat:

>Fix:
Replacing sizeof(pathbuf) with MAXPATHLEN should probably work.