From fanf@demon.net Fri Oct 22 11:31:49 1999
Return-Path: <fanf@demon.net>
Received: from internal.mail.demon.net (internal.mail.demon.net [193.195.224.3])
	by hub.freebsd.org (Postfix) with ESMTP id 2B73814D02
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 22 Oct 1999 11:31:47 -0700 (PDT)
	(envelope-from fanf@demon.net)
Received: from fanf.eng.demon.net (fanf.eng.demon.net [195.11.55.89])
	by internal.mail.demon.net with ESMTP id TAA04935;
	Fri, 22 Oct 1999 19:31:45 +0100 (BST)
Received: from fanf by fanf.eng.demon.net with local (Exim 3.03 #2)
	id 11ejT9-0005Sg-00
	for FreeBSD-gnats-submit@freebsd.org; Fri, 22 Oct 1999 19:31:15 +0100
Message-Id: <E11ejT9-0005Sg-00@fanf.eng.demon.net>
Date: Fri, 22 Oct 1999 19:31:15 +0100
From: Tony Finch <fanf@demon.net>
Reply-To: fanf@demon.net
To: FreeBSD-gnats-submit@freebsd.org
Subject: vipw has dodgy string handling
X-Send-Pr-Version: 3.2

>Number:         14465
>Category:       bin
>Synopsis:       vipw depends upon malloc() returning zero-filled memory
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    sheldonh
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Oct 23 06:47:19 PDT 1999
>Closed-Date:    Mon Oct 25 02:51:03 PDT 1999
>Last-Modified:  Mon Oct 25 02:51:41 PDT 1999
>Originator:     Tony Finch
>Release:        FreeBSD 3.3-STABLE-19990927 i386
>Organization:
Demon Internet Ltd
>Environment:

FreeBSD fanf.eng.demon.net 3.3-STABLE-19990927 FreeBSD 3.3-STABLE-19990927 #14: Mon Sep 27 02:50:55 BST 1999     root@fanf.eng.demon.net:/usr/src/sys/compile/DELL-PREC410  i386

>Description:

If vipw is invoked like `vipw -d /some/directory/not/ending/in/slash`
then it replaces the terminating '\0' with '/' before calling strcat.
This would cause heap corruption if malloc() didn't happen to return a
block of zeroes.

>How-To-Repeat:

>Fix:
	
--- /usr/src/usr.sbin/vipw/vipw.c.orig	Fri Oct 22 19:24:51 1999
+++ /usr/src/usr.sbin/vipw/vipw.c	Fri Oct 22 19:25:51 1999
@@ -81,8 +81,9 @@
 				err(1, NULL);
 			strcpy(masterpasswd, optarg);
 			if (masterpasswd[strlen(masterpasswd) - 1] != '/')
-				masterpasswd[strlen(masterpasswd)] = '/';
-			strcat(masterpasswd, _MASTERPASSWD);
+				strcat(masterpasswd, "/" _MASTERPASSWD);
+			else
+				strcat(masterpasswd, _MASTERPASSWD);
 			if ((mppath = strdup(optarg)) == NULL)
 				err(1, NULL);
 			if (mppath[strlen(mppath) - 1] == '/')

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->sheldonh 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Mon Oct 25 02:40:24 PDT 1999 
Responsible-Changed-Why:  
I'll take this one, since I introduced the offending code. 
State-Changed-From-To: open->closed 
State-Changed-By: sheldonh 
State-Changed-When: Mon Oct 25 02:51:03 PDT 1999 
State-Changed-Why:  
Committed as rev 1.11 (HEAD) and rev 1.5.2.6 (RELENG_3). Thanks! 
>Unformatted:
