netbsd-bugs: lib/30839: Buffer underflow possible in lib/libc/stdio/tempnam.c

Subject: lib/30839: Buffer underflow possible in lib/libc/stdio/tempnam.c
To: None <lib-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <tomska@packetfront.com>
List: netbsd-bugs
Date: 07/26/2005 14:21:00

>Number:         30839
>Category:       lib
>Synopsis:       Buffer underflow possible in lib/libc/stdio/tempnam.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jul 26 14:21:00 +0000 2005
>Originator:     Tomas Skäre
>Release:        1.6
>Organization:
PacketFront
>Environment:
>Description:
Static code analysis run on NetBSD libc showed that tempnam may access memory outside a buffer in tempnam(). 

In the code:

	if ((f = getenv("TMPDIR")) != NULL) {
		(void)snprintf(name, (size_t)MAXPATHLEN, "%s%s%sXXXXXXX", f,
		    *(f + strlen(f) - 1) == '/'? "": "/", pfx);
		if ((f = _mktemp(name)) != NULL)
			return(f);
	}

If TMPDIR is set to an empty string, the *(f + strlen(f) - 1) will access f[-1], which is illegal.

The same thing exists in current CVS. 

>How-To-Repeat:

>Fix:
Add a check if *f is nul.