[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
tiny buffer overflow in 'stat' (4.5.3)
|
From: |
Tommi Kyntola |
|
Subject: |
tiny buffer overflow in 'stat' (4.5.3) |
|
Date: |
Tue, 26 Aug 2003 16:56:48 +0300 (EEST) |
(first contact with bug-coreutils so bear with me, and I'm not
on the list so please cc replies to address@hidden)
Hello bug-coreutils people,
It appears that stat source function print_it (stat.c:574) can be tricked
into performing a strchr (and after that either an fputs or worse with %
manipulation) beyond the terminator in the string received from
char *format = strdup (masterformat);
This happens whenever the given --format ends in '%'.
Why-so should be apparent when viewed from the source. The b gets
p + 1, even when *p is '\0' and the loop is continued.
Having a suitable format string ending in '%' (length being multiple of 4
due malloc functionality) it prints out crap in the end. I only tested
it briefly and found that it has to be somewhat lengthy, say 44, and it
does just stat.
Suggested fix is to terminate the while loop when the terminator is found,
otherwise the next time around. (the fall-through after the
case '\0' is naturally intentional) :
diff -Naur coreutils-4.5.3-vanilla/src/stat.c coreutils-4.5.3-statfix/src/stat.c
--- coreutils-4.5.3-vanilla/src/stat.c 2002-09-22 09:48:28.000000000 +0300
+++ coreutils-4.5.3-statfix/src/stat.c 2003-08-26 16:23:50.097650304 +0300
@@ -599,9 +599,11 @@
dest[1 + len] = 0;
p += len;
+ b = p + 1;
switch (*p)
{
case '\0':
+ b = NULL;
case '%':
fputs ("%", stdout);
break;
@@ -609,7 +611,6 @@
print_func (dest, *p, filename, data);
break;
}
- b = p + 1;
}
else
{
cheers,
Tommi Kyntola <address@hidden>
"A man alone in the forest talking to himself and
no women around to hear him. Is he still wrong?"
- tiny buffer overflow in 'stat' (4.5.3),
Tommi Kyntola <=