* PATCH: buffer overflow from MAILCHECK environment variable
@ 2018-04-07 10:45 Oliver Kiddle
0 siblings, 0 replies; only message in thread
From: Oliver Kiddle @ 2018-04-07 10:45 UTC (permalink / raw)
To: Zsh workers
There's a potential buffer overflow in utils.c:checkmailpath() function
where unchecked strings from the MAILCHECK variable are copied to a
buffer. This bug corresponds to CVE-2018-1100 and credit to Richard
Maciel Costa for finding it.
This patch uses snprintf instead of sprintf when writing to the buffer.
Oliver
diff --git a/Src/utils.c b/Src/utils.c
index 3587c3622..fd6aa9ab4 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -1653,7 +1653,7 @@ checkmailpath(char **s)
LinkList l;
DIR *lock = opendir(unmeta(*s));
char buf[PATH_MAX * 2 + 1], **arr, **ap;
- int ct = 1;
+ int buflen, ct = 1;
if (lock) {
char *fn;
@@ -1662,9 +1662,11 @@ checkmailpath(char **s)
l = newlinklist();
while ((fn = zreaddir(lock, 1)) && !errflag) {
if (u)
- sprintf(buf, "%s/%s?%s", *s, fn, u);
+ buflen = snprintf(buf, sizeof(buf), "%s/%s?%s", *s, fn, u);
else
- sprintf(buf, "%s/%s", *s, fn);
+ buflen = snprintf(buf, sizeof(buf), "%s/%s", *s, fn);
+ if (buflen < 0 || buflen >= (int)sizeof(buf))
+ continue;
addlinknode(l, dupstring(buf));
ct++;
}
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2018-04-07 16:25 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-07 10:45 PATCH: buffer overflow from MAILCHECK environment variable Oliver Kiddle
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).