[src/trunk]: src/lib/libc/locale fix a bug of setlocale when changing locales...

[tshiozak <tshiozak%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/6e8f7b2dc4c1
branches:  trunk
changeset: 534737:6e8f7b2dc4c1
user:      tshiozak <tshiozak%NetBSD.org@localhost>
date:      Fri Aug 02 07:12:51 2002 +0000

description:
fix a bug of setlocale when changing locales with LC_ALL for the first
argunemt and with a string containing many slashes for the second argument.
This bug may cause setlocale() to destroy static datas.

If a setuid program calls this function as 'setlocale(LC_ALL, "");',
this might be vulnerable, although there are few programs having such
vulnerability.  This bug probably affects every versions of NetBSD,
including 1.4, 1.5 and 1.6.

XXX: This part of setlocale is unseemly, thus we had better rewrite it in
the future.

diffstat:

 lib/libc/locale/setlocale.c |  14 +++++++++-----
 1 files changed, 9 insertions(+), 5 deletions(-)

diffs (46 lines):

diff -r 5cbf8712f549 -r 6e8f7b2dc4c1 lib/libc/locale/setlocale.c
--- a/lib/libc/locale/setlocale.c       Fri Aug 02 06:52:16 2002 +0000
+++ b/lib/libc/locale/setlocale.c       Fri Aug 02 07:12:51 2002 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: setlocale.c,v 1.37 2002/02/13 07:59:45 yamt Exp $      */
+/*     $NetBSD: setlocale.c,v 1.38 2002/08/02 07:12:51 tshiozak Exp $  */
 
 /*
  * Copyright (c) 1991, 1993
@@ -41,7 +41,7 @@
 #if 0
 static char sccsid[] = "@(#)setlocale.c        8.1 (Berkeley) 7/4/93";
 #else
-__RCSID("$NetBSD: setlocale.c,v 1.37 2002/02/13 07:59:45 yamt Exp $");
+__RCSID("$NetBSD: setlocale.c,v 1.38 2002/08/02 07:12:51 tshiozak Exp $");
 #endif
 #endif /* LIBC_SCCS and not lint */
 
@@ -169,20 +169,24 @@
                        if (!r[1])
                                return (NULL);  /* Hmm, just slashes... */
                        do {
+                               if (i == _LC_LAST)
+                                       return (NULL);  /* too many slashes. */
                                len = r - locale > sizeof(new_categories[i]) - 1
                                        ? sizeof(new_categories[i]) - 1
                                        : r - locale;
-                               (void)strncpy(new_categories[i++], locale, len);
-                               new_categories[i++][len] = 0;
+                               (void)strlcpy(new_categories[i], locale, len+1);
+                               i++;
                                locale = r;
                                while (*locale == '/')
                                    ++locale;
                                while (*++r && *r != '/');
                        } while (*locale);
-                       while (i < _LC_LAST)
+                       while (i < _LC_LAST) {
                                (void)strlcpy(new_categories[i],
                                    new_categories[i - 1],
                                    sizeof(new_categories[i]));
+                               i++;
+                       }
                }
        }