bin/39746: Too small buffer for long TMPDIR and unlinked-file in src/usr.bin/config/main.c

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/39746: Too small buffer for long TMPDIR and unlinked-file in src/usr.bin/config/main.c
From: abutter.gao%gmail.com@localhost
Date: Thu, 16 Oct 2008 05:05:00 +0000 (UTC)

>Number:         39746
>Category:       bin
>Synopsis:       Too small buffer for long TMPDIR and unlinked-file in 
>src/usr.bin/config/main.c
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Oct 16 05:05:00 +0000 2008
>Originator:     Gao Ya'nan
>Release:        NetBSD-current and NetBSD-4.0
>Organization:
>Environment:
NetBSD abutter.foo.org 4.0 NetBSD 4.0 (GENERIC) #0: Sun Dec 16 00:20:10 PST 
2007  
builds@wb34:/home/builds/ab/netbsd-4-0-RELEASE/i386/200712160005Z-obj/home/builds/ab/netbsd-4-0-RELEASE/src/sys/arch/i386/compile/GENERIC
 i386

>Description:
----------------------------------->cut<----------------------------------------
int
main(int argc, char **argv)
{
        char *p, cname[20];
        const char *last_component;
----------------------------------->cut<----------------------------------------

So, cname only takes 20 bytes.

----------------------------------->cut<----------------------------------------
                /* Open temporary configuration file */
                tmpdir = getenv("TMPDIR");
                if (tmpdir == NULL)
                        tmpdir = "/tmp";
                snprintf(cname, sizeof(cname), "%s/config.tmp.XXXXXX", tmpdir);
                cfd = mkstemp(cname);
                if (cfd == -1)
                        err(EXIT_FAILURE, "Cannot create `%s'", cname);

                printf("Using configuration data embedded in kernel...\n");
                if (!extract_config(conffile, cname, cfd))
                        errx(EXIT_FAILURE, "%s does not contain embedded "
                            "configuration data", conffile);

                removeit = 1;
                close(cfd);
                firstfile(cname);
----------------------------------->cut<----------------------------------------

First, if $TMPDIR is more than 7 bytes, 'XXXXXX' will be lost, and if $TMPDIR 
is longer enough, full name will be truncated

Second, extract_config() returns with 0, there will be an unlink-ed file in 
TMPDIR or above directory.

>How-To-Repeat:
TMPDIR=/mnt/averylongtmpdirforconfig config -b /mnt/build netbsd
>Fix:
1, change the size of cname to MAXPATHLEN;
2, unlinked the file if extract_config returns with 0.

Prev by Date: Re: bin/39240 (lighttpd cannot exec)
Next by Date: PR/39746 CVS commit: src/usr.bin/config
Previous by Thread: Re: bin/39310 (netstat command will show server-sockets without -a option)
Next by Thread: PR/39746 CVS commit: src/usr.bin/config
Indexes:

Home | Main Index | Thread Index | Old Index