Subject: bin/21205: Potential buffer overrun in debug code of named
To: None <gnats-bugs@gnats.netbsd.org>
From: Christian Biere <christianbiere@gmx.de>
List: netbsd-bugs
Date: 04/16/2003 23:13:38
>Number:         21205
>Category:       bin
>Synopsis:       Potential buffer overrun in debug code of named
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Apr 16 21:15:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Christian Biere
>Release:        NetBSD 1.6Q
>Organization:
>Environment:

>Description:

dist/bind/bin/named/ns_maint.c:

905         int len;
906 
907         curr = buffer;
908         last = &buffer[sizeof buffer - 1]; /* leave room for \0 */
909         for (i = 0; i < argc; i++) {
910             len = strlen(argv[i]);
911             if (curr + len + 1 >= last) {

I don't think this check is sufficient. Is there any guarantee that
`curr + len + 1' doesn't overflow the pointer and point to 0x0000CAFE?
This would probably lead to a crash during the strncpy() later. Even
a second check for >= curr (or buffer) isn't correct. The latter might
be far more theoritical than the first issue, though.

912                 ns_debug(ns_log_xfer_in, 1,
913                      "xfer args debug printout truncated");
914                 break;
915             }
916             strncpy(curr, argv[i], len);
917             curr += len;
918             *curr = ' ';
919             curr++;
920         }
921         *curr = '\0';

>How-To-Repeat:


>Fix:

Use strncpy(curr, argv[i], last - curr); and check for truncation after
this or use strlcpy().
>Release-Note:
>Audit-Trail:
>Unformatted: