NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

lib/40693: _gettemp() flawed

>Number:         40693
>Category:       lib
>Synopsis:       _gettemp() flawed
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Feb 19 16:30:00 +0000 2009
>Originator:     Vadim Zhukov
>Release:        CURRENT
After fixing out-of-bounds access in OpenBSD's version of this function, I 
looked at NetBSD's one. As far as I can see, current implementation of 
_gettemp() in libc (core function for mk*temp(3)) is flawed by many ways:

- It produces highly predictable (i.e. insecure) values;
- It may (should) cause SIGSEGV when path (template) provided has zero length;
- Maybe more.

Thank you for your attention.
 * May die if memory exhausted before actual memory allocation
 * occurs at page start
#include <stdio.h>

main() {
        char    *s;
        size_t   sz;

        for (sz = 1024;; sz *= 2) {
                if ((s = malloc(sz)) == NULL)
                        err(1, "malloc");
                *s = '\0';

I recommend to replace it via OpenBSD's _gettemp() implementation:

Home | Main Index | Thread Index | Old Index