From gdonl@tsc.tdk.com Thu May 13 07:50:36 1999
Return-Path: <gdonl@tsc.tdk.com>
Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21])
	by hub.freebsd.org (Postfix) with ESMTP id D2F571513A
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 13 May 1999 07:50:35 -0700 (PDT)
	(envelope-from gdonl@tsc.tdk.com)
Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191])
	by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id HAA12466
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 13 May 1999 07:50:34 -0700 (PDT)
	(envelope-from gdonl@tsc.tdk.com)
Received: from gvpc85.gv.tsc.tdk.com (gvpc85.gv.tsc.tdk.com [192.168.240.85])
	by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id HAA13014
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 13 May 1999 07:50:33 -0700 (PDT)
Received: (from gdonl@localhost)
	by gvpc85.gv.tsc.tdk.com (8.9.3/8.9.3) id HAA27110;
	Thu, 13 May 1999 07:50:32 -0700 (PDT)
	(envelope-from Don.Lewis@tsc.tdk.com)
Message-Id: <199905131450.HAA27110@gvpc85.gv.tsc.tdk.com>
Date: Thu, 13 May 1999 07:50:32 -0700 (PDT)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Sender: gdonl@tsc.tdk.com
Reply-To: gdonl@tsc.tdk.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: buglet in login_class()
X-Send-Pr-Version: 3.2

>Number:         11687
>Category:       bin
>Synopsis:       buglet in login_class()
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 13 08:00:00 PDT 1999
>Closed-Date:    Thu May 13 09:17:01 PDT 1999
>Last-Modified:  Wed Oct 03 19:09:01 GMT 2007
>Originator:     Don Lewis
>Release:        FreeBSD 3.2-BETA i386
>Organization:
TDK Semiconductor
>Environment:

	

>Description:

	The internal substvar() routine in login_class() has a small bug
	that could cause it to scribble one character outside the memory
	that it allocates from the heap.

>How-To-Repeat:

	If the first byte location before the variable contains a
	backslash character, substvar() may think it is processing an
	escape sequence and slide the buffer one character outside its
	allocated space.

	The problem is that substvar does something like this (simplified):
		np = malloc(...);
		p = strcpy(np, var);
		if (p > var && *(p-1) == '\\')
			memmove(p - 1, p, l + 1);
	The return value from "strcpy(np, var)" is "np", not "var",
	so pointer comparisons between "p" and "var" are not valid.
	Also, the buffer being modifed is np.

	The intent of this test is to check to see if the
	preceeding character was a backslash only if we aren't at
	the beginning of the buffer.


>Fix:
	
--- login_class.c.orig	Fri Sep  4 18:08:36 1998
+++ login_class.c	Thu May 13 06:51:40 1999
@@ -163,7 +163,7 @@
 		while (*(p += strcspn(p, "~$")) != '\0') {
 		    int	l = strlen(p);
 
-		    if (p > var && *(p-1) == '\\')  /* Escaped: */
+		    if (p > np && *(p-1) == '\\')  /* Escaped: */
 			memmove(p - 1, p, l + 1); /* Slide-out the backslash */
 		    else if (*p == '~') {
 			int	v = pch && *(p+1) != '/'; /* Avoid double // */


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: ache 
State-Changed-When: Thu May 13 09:17:01 PDT 1999 
State-Changed-Why:  
fix commited 
Responsible-Changed-From-To: freebsd-bugs->tabthorpe 
Responsible-Changed-By: tabthorpe 
Responsible-Changed-When: Wed Oct 3 18:57:09 UTC 2007 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=11687 
Responsible-Changed-From-To: tabthorpe->freebsd-bugs 
Responsible-Changed-By: tabthorpe 
Responsible-Changed-When: Wed Oct 3 19:09:00 UTC 2007 
Responsible-Changed-Why:  
reassign to pool 

http://www.freebsd.org/cgi/query-pr.cgi?pr=11687 
>Unformatted:
