NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

bin/53362: Unsafe copy in bin/pax (pat_rep.c, function



>Number:         53362
>Category:       bin
>Synopsis:       Unsafe copy in bin/pax (pat_rep.c, function
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jun 13 14:00:00 +0000 2018
>Originator:     Thomas Barabosch
>Release:        7.1.2
>Organization:
Fraunhofer FKIE
>Environment:
>Description:
There is a (theoretical) overflow in bin/pax. The function rep_name of file pat_rep.c does not check the size of input buffer name before it copies it into the local buffer buf1. Though, this is unlikely to trigger, to improve code quality, it would be better to use strlcpy instead of strcpy. This issue was fixed in FreeBSD (commit e9f93eed438913bd030866f9c8660fb2678b97d6 of github mirror).
>How-To-Repeat:

>Fix:
--- pat_rep.c	2018-06-13 11:00:17.591854034 +0200
+++ pat_rep.c.patched	2018-06-13 15:34:14.310301128 +0200
@@ -924,7 +924,7 @@
 	 * (the user already saw that substitution go by)
 	 */
 	pt = rephead;
-	(void)strcpy(buf1, name);
+	(void)strlcpy(buf1, name, sizeof(buf1));
 	inpt = buf1;
 	outpt = nname;
 	endpt = outpt + PAXPATHLEN;



Home | Main Index | Thread Index | Old Index