From nobody@FreeBSD.org  Mon Nov 12 13:29:01 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 476B816A468
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 12 Nov 2007 13:29:01 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id E0B8813C4C1
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 12 Nov 2007 13:29:00 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.1/8.14.1) with ESMTP id lACDSYui063308
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 12 Nov 2007 13:28:34 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.1/8.14.1/Submit) id lACDSYDE063306;
	Mon, 12 Nov 2007 13:28:34 GMT
	(envelope-from nobody)
Message-Id: <200711121328.lACDSYDE063306@www.freebsd.org>
Date: Mon, 12 Nov 2007 13:28:34 GMT
From: Lev Levinson <llevinson@mail.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: sysinstall can't read some packages from INDEX. (buffer overflow).
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         118001
>Category:       bin
>Synopsis:       sysinstall can't read some packages from INDEX. (buffer overflow).
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kensmith
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 12 13:30:00 UTC 2007
>Closed-Date:    Tue Dec 25 19:43:25 UTC 2007
>Last-Modified:  Tue Dec 25 19:43:25 UTC 2007
>Originator:     Lev Levinson
>Release:        FreeBSD-7.0-BETA1
>Organization:
>Environment:
FreeBSD porky.dep24 7.0-BETA1 FreeBSD 7.0-BETA1 #0: Wed Nov  7 13:45:40 MSK 2007     root@porky.dep24:/usr/src/sys/i386/compile/GENERIC_NODEBUG  i386
>Description:
Sysinstall reads not-used fields of INDEX-file (especially "build dependencies") into buffer:

char junk[2048]    (see: src/usr.sbin/sysinstall/index.c:294,310)

But to-day big packages (like kde) has more then 2048 chars in that field.
As a result, buffer junk[] overflows and garbage appears in Packages menu of sysinstall.
>How-To-Repeat:
cd /usr/ports
make fetchindex
mkdir -p /tmp/tttt/packages 
egrep "^kde" INDEX-7 > /tmp/tttt/packages/INDEX
sysinstall

In it menu select:
  Configure --> Packages --> File System --> enter path: "/tmp/tttt"
  look at garbage in menu "Package Selection".
>Fix:
Increase size of buffer junk[] at src/usr.sbin/sysinstall/index.c:294 from 2048 to 4096 (or 8192).

>Release-Note:
>Audit-Trail:

From: Brad Hall <haws@ethereal.net>
To: bug-followup@FreeBSD.org, llevinson@mail.ru
Cc:  
Subject: Re: bin/118001: sysinstall can't read some packages from INDEX. (buffer overflow).
Date: Tue, 11 Dec 2007 14:52:44 -0800

 Hi,
 
 I just saw this in the 7.0BETA4 installer.  A better fix may be to just
 advance the pointer to the next sep insetad of copying the not used
 stuff into a junk buffer (since copy_to_sep doesn't check the size of
 its buffer).  Here is a patch:
 
 Index: index.c
 ===================================================================
 RCS file: /home/ncvs/src/usr.sbin/sysinstall/index.c,v
 retrieving revision 1.115
 diff -d -u -r1.115 index.c
 --- index.c     28 Jun 2007 17:42:20 -0000      1.115
 +++ index.c     11 Dec 2007 22:43:10 -0000
 @@ -270,6 +270,19 @@
  }
  
  static int
 +advance_to_sep(char *from, int sep)
 +{
 +    char *tok;
 +
 +    tok = strchr(from, sep);
 +    if (!tok) {
 +       return 0;
 +    }
 +    *tok = '\0';
 +    return tok + 1 - from;
 +}
 +
 +static int
  readline(FILE *fp, char *buf, int max)
  {
      int rv, i = 0;
 @@ -291,11 +304,14 @@
  index_parse(FILE *fp, char *name, char *pathto, char *prefix, char *comment, char *descr, char *maint, char *cats, char *rdeps, int *volume)
  {
      char line[10240 + 2048 * 7];
 -    char junk[2048];
      char volstr[2048];
      char *cp;
      int i;
  
 +    /*
 +     * NOTE: Just advance to the separator for fields that are
 +     * not used instead of copying them into a junk buffer
 +     */
      i = readline(fp, line, sizeof line);
      if (i <= 0)
         return EOF;
 @@ -307,21 +323,20 @@
      cp += copy_to_sep(descr, cp, '|');         /* path to pkg-descr */
      cp += copy_to_sep(maint, cp, '|');         /* maintainer */
      cp += copy_to_sep(cats, cp, '|');          /* categories */
 -    cp += copy_to_sep(junk, cp, '|');          /* build deps - not used */
 +    cp += advance_to_sep(cp, '|');             /* build deps - not used */
      cp += copy_to_sep(rdeps, cp, '|');         /* run deps */
      if (index(cp, '|'))
 -        cp += copy_to_sep(junk, cp, '|');      /* url - not used */
 +        cp += advance_to_sep(cp, '|');         /* url - not used */
      else {
 -       strncpy(junk, cp, 1023);
         *volume = 0;
         return 0;
      }
      if (index(cp, '|'))
 -       cp += copy_to_sep(junk, cp, '|');       /* extract deps - not used */
 +       cp += advance_to_sep(cp, '|');          /* extract deps - not used */
      if (index(cp, '|'))
 -       cp += copy_to_sep(junk, cp, '|');       /* patch deps - not used */
 +       cp += advance_to_sep(cp, '|');          /* patch deps - not used */
      if (index(cp, '|'))
 -       cp += copy_to_sep(junk, cp, '|');       /* fetch deps - not used */
 +       cp += advance_to_sep(cp, '|');          /* fetch deps - not used */
      if (index(cp, '|'))
          cp += copy_to_sep(volstr, cp, '|');    /* media volume */
      else {
 
 
 Thanks,
 Brad
 
Responsible-Changed-From-To: freebsd-bugs->kensmith 
Responsible-Changed-By: kris 
Responsible-Changed-When: Tue Dec 25 14:20:52 UTC 2007 
Responsible-Changed-Why:  
I think ken recently fixed this, assign for confirmation 

http://www.freebsd.org/cgi/query-pr.cgi?pr=118001 
State-Changed-From-To: open->closed 
State-Changed-By: kensmith 
State-Changed-When: Tue Dec 25 19:39:11 UTC 2007 
State-Changed-Why:  

The fix has been made.  Brad Hall - sorry I hadn't seen this PR before 
I tripped across the bug while testing 7.0-RC1.  The patch I came up 
with was virtually identical to yours.  If I'd seen this PR beforehand 
I'd have given you credit for having submitted it. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=118001 
>Unformatted:
