From mboxrd@z Thu Jan 1 00:00:00 1970 From: andrey mirtchovski To: 9fans@cse.psu.edu Subject: Re: [9fans] 4th edition file server available In-Reply-To: <932e2dcf6c7cc416329e51ff3789f75d@plan9.bell-labs.com> Message-ID: <20030114080254.R93707-100000@fbsd.acl.lanl.gov> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Date: Tue, 14 Jan 2003 08:20:07 -0700 Topicbox-Message-UUID: 40f962a8-eacb-11e9-9e20-41e7f4b1d025 On Mon, 13 Jan 2003, Russ Cox wrote: > There are no buffer overflows anyway. ;-) I see the smiley, but have to reply anyway. this is not a nasty jab at Russ, just a fix (I hope :) there's a buffer overflow in cpu.c (strcpy): % cpu -h `{perl -e '{print "A"x100;}'} cpu 116986: suicide: sys: trap: fault read addr=0x19000 pc=0x00005b8b plan9% acid 116986 /proc/116986/text:386 plan 9 executable /sys/lib/acid/port /sys/lib/acid/386 acid: stk() At pc:0x00005b8b:fmtfmt+0x1f /sys/src/libc/fmt/fmt.c:63 fmtfmt(c=0x00000073) /sys/src/libc/fmt/fmt.c:57 called from _fmtdispatch+0x83 /sys/src/libc/fmt/fmt.c:175 _fmtdispatch(isrunes=0x00000000,f=0x7fffeb48,fmt=0x000168b6) /sys/src/libc/fmt/fmt.c:113 called from dofmt+0x75 /sys/src/libc/fmt/dofmt.c:62 dofmt(fmt=0x000168b4,f=0x7fffeb48) /sys/src/libc/fmt/dofmt.c:7 called from vsnprint+0x62 /sys/src/libc/fmt/vsnprint.c:20 vsnprint(len=0x00000100,buf=0x00018734,args=0x7fffebac,fmt=0x000168b0) /sys/src/libc/fmt/vsnprint.c:5 called from snprint+0x2b /sys/src/libc/fmt/snprint.c:13 snprint(fmt=0x000168b0,buf=0x00018734,len=0x00000100) /sys/src/libc/fmt/snprint.c:5 called from netmkaddr+0x5e /sys/src/libc/port/netmkaddr.c:34 netmkaddr(linear=0x00017e0c,defnet=0x00000000,defsrv=0x00016978) /sys/src/libc/port/netmkaddr.c:10 called from rexcall+0x28 /sys/src/cmd/cpu.c:347 rexcall(host=0x00017e0c,service=0x00016978,fd=0x7fffed98) /sys/src/cmd/cpu.c:339 called from main+0x132 /sys/src/cmd/cpu.c:147 main(argv=0x7fffef84,argc=0x00000000) /sys/src/cmd/cpu.c:77 called from _main+0x31 /sys/src/libc/386/main9.s:16 acid: ---------------------- here's the fix: plan9% diff cpu.c /sys/src/cmd/cpu.c 121c121 < strncpy(system, p, sizeof system); --- > strcpy(system, p); plan9% 8c cpu.c; 8l cpu.8 plan9% 8.out -h `{perl -e '{print "A"x100}'} cpu: can't dial: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: cs: can't translate address plan9%