bin/53362: Unsafe copy in bin/pax (pat_rep.c, function

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/53362: Unsafe copy in bin/pax (pat_rep.c, function
From: thomas.barabosch%fkie.fraunhofer.de@localhost
Date: Wed, 13 Jun 2018 14:00:00 +0000 (UTC)

>Number:         53362
>Category:       bin
>Synopsis:       Unsafe copy in bin/pax (pat_rep.c, function
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jun 13 14:00:00 +0000 2018
>Originator:     Thomas Barabosch
>Release:        7.1.2
>Organization:
Fraunhofer FKIE
>Environment:
>Description:
There is a (theoretical) overflow in bin/pax. The function rep_name of file pat_rep.c does not check the size of input buffer name before it copies it into the local buffer buf1. Though, this is unlikely to trigger, to improve code quality, it would be better to use strlcpy instead of strcpy. This issue was fixed in FreeBSD (commit e9f93eed438913bd030866f9c8660fb2678b97d6 of github mirror).
>How-To-Repeat:

>Fix:
--- pat_rep.c	2018-06-13 11:00:17.591854034 +0200
+++ pat_rep.c.patched	2018-06-13 15:34:14.310301128 +0200
@@ -924,7 +924,7 @@
 	 * (the user already saw that substitution go by)
 	 */
 	pt = rephead;
-	(void)strcpy(buf1, name);
+	(void)strlcpy(buf1, name, sizeof(buf1));
 	inpt = buf1;
 	outpt = nname;
 	endpt = outpt + PAXPATHLEN;

Prev by Date: Re: kern/53301 (msk0 device reports no link, when there is link on same laptop with Windows and Linux.)
Next by Date: Re: port-macppc/53351 (Keyboard non-functional in X11 on last gen iBook (PowerBook6,7))
Previous by Thread: port-evbarm/53359: cvs rdiff -u -r1.24 -r1.25 src/sys/arch/arm/sunxi/sunxi_mmc.c breaks ld at sdmmc0 on BananaPro
Next by Thread: PR/53362 CVS commit: src/bin/pax
Indexes:

Home | Main Index | Thread Index | Old Index