Subject: pkg/23954: ...pkgsrc/archivers/arc has a warning (potential buffer overflow)
To: None <>
From: None <>
List: netbsd-bugs
Date: 01/02/2004 14:13:11
>Number:         23954
>Category:       pkg
>Synopsis:       ...pkgsrc/archivers/arc has a warning (potential buffer overflow)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jan 02 20:14:02 UTC 2004
>Release:        NetBSD 1.6ZG
  "I probably don't know what I'm talking about."
System: NetBSD socrates 1.6ZG NetBSD 1.6ZG (socrates) #1: Wed Dec 31 15:24:34 CST 2003 root@socrates:/usr/netbsd/current/src/sys/arch/amd64/compile/obj.amd64/socrates amd64
Architecture: x86_64
Machine: amd64
	arc, from the pkgsrc archivers directory, generates a couple of
	warnings.  One is about mktemp(), which looks painful to fix.
	The other is about getwd(), which is easy to fix.

	The getwd() uses either a passed-in null-terminated string (which
	is of uncontrolled size) or, if the string is "" or NULL, a
	dynamically allocated 1024 (hard-coded) byte buffer.  1024 is
	sufficient, today, on NetBSD/amd64.  But the given string can
	be of any length, and the future is certainly uncertain.  (^&

	Changing the 1024 to MAXPATHLEN (or whatever) would still leave
	half the problem, plus the GCC warning, so I replaced getwd()
	with getcwd().

	In practice, it's more of a nuissance, since I think that the
	only place this gets used, a "" string is passed.  And who
	uses arc, anyway, anymore?
	Build ...pkgsrc/archivers/arc and scan for warnings.
	I'm not sure if anyone is maintaining this software.  It
	might be easier to fix the mktemp() business if one started
	by ripping out the MSDOS, GEMOS, and such.  (Or at least wrote
	a mkstemp() for systems that don't have it.)

	The following pach can be applied for the getwd warning.

--- arcmisc.c.orig	2004-01-02 13:38:35.000000000 -0600
+++ arcmisc.c	2004-01-02 14:00:20.000000000 -0600
@@ -233,16 +233,16 @@
 	char           *dirname;
-	char           *getwd();
+	size_t		buf_size = 0;
 	int             drv;
 	char           *buf;
-	if (dirname == NULL || strlen(dirname) == 0)
-		dirname = (char *) malloc(1024);
+	if (dirname == NULL || (buf_size = strlen(dirname)) == 0)
+		dirname = (char *) malloc(buf_size = 1024);
 #if	!GEMDOS
-	getwd(dirname);
+	getcwd(dirname, buf_size);
 	buf = dirname;
 	*buf++ = (drv = Dgetdrv()) + 'A';