Subject: lib/30833: Buffer overflow in lib/libc/gen/__glob13.c
To: None <firstname.lastname@example.org, email@example.com,>
From: None <firstname.lastname@example.org>
Date: 07/25/2005 14:48:00
>Synopsis: Buffer overflow in lib/libc/gen/__glob13.c
>Arrival-Date: Mon Jul 25 14:48:00 +0000 2005
>Originator: Tomas Skäre
Static code analysis run on NetBSD kernel showed an error in lib/libc/gen/__glob13.c. There is a possible buffer overflow in
glob1() (called from glob0, which is called from glob). It also
exists in current CVS head.
On row 604:
return(glob2(pathbuf, pathbuf, pathbuf + sizeof(pathbuf) - 1, pattern,
pathbuf is declared as:
Where the type "Char" is u_short when DEBUG is not set.
sizeof(pathbuf) therefore returns 2 * (MAXPATHLEN+1), and when this is applied in pointer arithmetics with pointers of the type Char (u_short) it will double once more (as it should), so "pathbuf + sizeof(pathbuf) - 1" will not point at the end of pathbuf but rather MAXPATHLEN further beyond it.
Replacing sizeof(pathbuf) with MAXPATHLEN should probably work.