>Number:         14234
>Category:       lib
>Synopsis:       gethostname(3) bugs - possible buffer overflow
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Oct 12 08:24:02 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Jeunhomme
>Release:        1.5.1
>Organization:
Brieuc
>Environment:
NetBSD assurancetourix 1.5.1 NetBSD 1.5.1 (BBP) #4: Sun Jul 29 14:30:11 CEST 2001     bbp@assurancetourix:/usr/src/sys/arch/i386/compile/BBP i386
>Description:
Two bugs (perhaps a single bug, in fact) exist in the gethostname(3) library function : first, it returns 0 even if the supplied buffer is to small to contain the full hostname, and second, it does not 0 terminate the string if the hostname's length is exactly the buffer's length.
>How-To-Repeat:
bbp@assurancetourix $ cat a.c
#include <unistd.h>
#include <stdio.h>

/* this is really my hostname */
#define my_hostname "assurancetourix"
#define my_hostname_length 15

int main()
{
  char foo[1024];
  int bar;

  /* first bug */
  bar=gethostname(foo,2);
  printf("%d (should be -1, because hostname does not fit in foo)\n",bar);

  /* second bug */
  foo[my_hostname_length-1]='A';
  bar=gethostname(foo,my_hostname_length);
  printf("%d (should be -1) %.*s %s\n",
         bar,my_hostname_length,foo,
         foo[my_hostname_length-1]=='\0'?"ok":"no 0 termination");

  return 0;
}
bbp@assurancetourix $ gcc a.c -o a
bbp@assurancetourix $ ./a
0 (should be -1, because hostname does not fit in foo)
0 (should be -1) assurancetourix no 0 termination

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: