lib/40693: _gettemp() flawed

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: lib/40693: _gettemp() flawed
From: persgray%gmail.com@localhost
Date: Thu, 19 Feb 2009 16:30:01 +0000 (UTC)

>Number:         40693
>Category:       lib
>Synopsis:       _gettemp() flawed
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Feb 19 16:30:00 +0000 2009
>Originator:     Vadim Zhukov
>Release:        CURRENT
>Organization:
>Environment:
>Description:
After fixing out-of-bounds access in OpenBSD's version of this function, I 
looked at NetBSD's one. As far as I can see, current implementation of 
_gettemp() in libc (core function for mk*temp(3)) is flawed by many ways:

- It produces highly predictable (i.e. insecure) values;
- It may (should) cause SIGSEGV when path (template) provided has zero length;
- Maybe more.

Thank you for your attention.
>How-To-Repeat:
/*
 * May die if memory exhausted before actual memory allocation
 * occurs at page start
 */
#include <stdio.h>

void
main() {
        char    *s;
        size_t   sz;

        for (sz = 1024;; sz *= 2) {
                if ((s = malloc(sz)) == NULL)
                        err(1, "malloc");
                *s = '\0';
                mktemp(s);
        }
}

>Fix:
I recommend to replace it via OpenBSD's _gettemp() implementation:

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/mktemp.c?rev=1.25

Prev by Date: Re: kern/40690 (pppoe(4) doesn't work when PPPoE relays are present)
Next by Date: Re: kern/40049: Support more USB CDC Ethernet devices (eg Openmoko Freerunner)
Previous by Thread: PR/40690 CVS commit: src/sys/net
Next by Thread: Re: lib/40693: _gettemp() flawed
Indexes:

Home | Main Index | Thread Index | Old Index