* Re: [PATCH] fix failure of tempnam to null-terminate result
2015-08-08 17:25 [PATCH] fix failure of tempnam to null-terminate result Felix Janda
@ 2015-08-08 16:29 ` Szabolcs Nagy
2015-08-08 16:38 ` Szabolcs Nagy
2015-08-09 22:53 ` Rich Felker
1 sibling, 1 reply; 5+ messages in thread
From: Szabolcs Nagy @ 2015-08-08 16:29 UTC (permalink / raw)
To: musl
* Felix Janda <felix.janda@posteo.de> [2015-08-08 19:25:13 +0200]:
> tempnam uses an uninitialized buffer which is filled using memcpy and
> __randname. It is therefore necessary to explicitly null-terminate it.
ouch
i think this bug is not exploitable
but in the same function there is a possible overflow issue:
dl = strlen(dir);
pl = strlen(pfx);
l = dl + 1 + pl + 1 + 6;
if l overflows here then memcpy can overwrite the stack.
> ---
> src/stdio/tempnam.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/stdio/tempnam.c b/src/stdio/tempnam.c
> index 45a5f26..b938b31 100644
> --- a/src/stdio/tempnam.c
> +++ b/src/stdio/tempnam.c
> @@ -33,6 +33,7 @@ char *tempnam(const char *dir, const char *pfx)
> s[dl] = '/';
> memcpy(s+dl+1, pfx, pl);
> s[dl+1+pl] = '_';
> + s[l] = '\0';
>
> for (try=0; try<MAXTRIES; try++) {
> __randname(s+l-6);
> --
> 2.4.6
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] fix failure of tempnam to null-terminate result
2015-08-08 16:29 ` Szabolcs Nagy
@ 2015-08-08 16:38 ` Szabolcs Nagy
2015-08-08 16:44 ` Rich Felker
0 siblings, 1 reply; 5+ messages in thread
From: Szabolcs Nagy @ 2015-08-08 16:38 UTC (permalink / raw)
To: musl
* Szabolcs Nagy <nsz@port70.net> [2015-08-08 18:29:19 +0200]:
>
> but in the same function there is a possible overflow issue:
>
> dl = strlen(dir);
> pl = strlen(pfx);
> l = dl + 1 + pl + 1 + 6;
>
> if l overflows here then memcpy can overwrite the stack.
>
nevermind.. this cant happen
(largest string size possible is SIZE_MAX/2-PAGE_SIZE)
a comment may be useful there though..
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] fix failure of tempnam to null-terminate result
2015-08-08 16:38 ` Szabolcs Nagy
@ 2015-08-08 16:44 ` Rich Felker
0 siblings, 0 replies; 5+ messages in thread
From: Rich Felker @ 2015-08-08 16:44 UTC (permalink / raw)
To: musl
On Sat, Aug 08, 2015 at 06:38:52PM +0200, Szabolcs Nagy wrote:
> * Szabolcs Nagy <nsz@port70.net> [2015-08-08 18:29:19 +0200]:
> >
> > but in the same function there is a possible overflow issue:
> >
> > dl = strlen(dir);
> > pl = strlen(pfx);
> > l = dl + 1 + pl + 1 + 6;
> >
> > if l overflows here then memcpy can overwrite the stack.
> >
>
> nevermind.. this cant happen
>
> (largest string size possible is SIZE_MAX/2-PAGE_SIZE)
>
> a comment may be useful there though..
Yes, generally we assume actual_size_1 + actual_size_2 + small_const
cannot overflow for exactly this reason.
Rich
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH] fix failure of tempnam to null-terminate result
@ 2015-08-08 17:25 Felix Janda
2015-08-08 16:29 ` Szabolcs Nagy
2015-08-09 22:53 ` Rich Felker
0 siblings, 2 replies; 5+ messages in thread
From: Felix Janda @ 2015-08-08 17:25 UTC (permalink / raw)
To: musl
tempnam uses an uninitialized buffer which is filled using memcpy and
__randname. It is therefore necessary to explicitly null-terminate it.
---
src/stdio/tempnam.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/stdio/tempnam.c b/src/stdio/tempnam.c
index 45a5f26..b938b31 100644
--- a/src/stdio/tempnam.c
+++ b/src/stdio/tempnam.c
@@ -33,6 +33,7 @@ char *tempnam(const char *dir, const char *pfx)
s[dl] = '/';
memcpy(s+dl+1, pfx, pl);
s[dl+1+pl] = '_';
+ s[l] = '\0';
for (try=0; try<MAXTRIES; try++) {
__randname(s+l-6);
--
2.4.6
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] fix failure of tempnam to null-terminate result
2015-08-08 17:25 [PATCH] fix failure of tempnam to null-terminate result Felix Janda
2015-08-08 16:29 ` Szabolcs Nagy
@ 2015-08-09 22:53 ` Rich Felker
1 sibling, 0 replies; 5+ messages in thread
From: Rich Felker @ 2015-08-09 22:53 UTC (permalink / raw)
To: musl
On Sat, Aug 08, 2015 at 07:25:13PM +0200, Felix Janda wrote:
> tempnam uses an uninitialized buffer which is filled using memcpy and
> __randname. It is therefore necessary to explicitly null-terminate it.
> ---
> src/stdio/tempnam.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/stdio/tempnam.c b/src/stdio/tempnam.c
> index 45a5f26..b938b31 100644
> --- a/src/stdio/tempnam.c
> +++ b/src/stdio/tempnam.c
> @@ -33,6 +33,7 @@ char *tempnam(const char *dir, const char *pfx)
> s[dl] = '/';
> memcpy(s+dl+1, pfx, pl);
> s[dl+1+pl] = '_';
> + s[l] = '\0';
>
> for (try=0; try<MAXTRIES; try++) {
> __randname(s+l-6);
Thanks! Committed with one small change.
Rich
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-08-09 22:53 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-08-08 17:25 [PATCH] fix failure of tempnam to null-terminate result Felix Janda
2015-08-08 16:29 ` Szabolcs Nagy
2015-08-08 16:38 ` Szabolcs Nagy
2015-08-08 16:44 ` Rich Felker
2015-08-09 22:53 ` Rich Felker
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).