From jedgar@pawn.primelocation.net Fri Nov 26 06:45:52 1999
Return-Path: <jedgar@pawn.primelocation.net>
Received: from pawn.primelocation.net (pawn.primelocation.net [205.161.238.235])
	by hub.freebsd.org (Postfix) with ESMTP id 2503814C3F
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 26 Nov 1999 06:45:51 -0800 (PST)
	(envelope-from jedgar@pawn.primelocation.net)
Received: by pawn.primelocation.net (Postfix, from userid 1003)
	id D62E19B38; Fri, 26 Nov 1999 09:45:50 -0500 (EST)
Message-Id: <19991126144550.D62E19B38@pawn.primelocation.net>
Date: Fri, 26 Nov 1999 09:45:50 -0500 (EST)
From: jedgar@fxp.org
Sender: jedgar@pawn.primelocation.net
Reply-To: jedgar@fxp.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: [PATCH] cdcontrol does not perform bounds checking WRT dev name lengths
X-Send-Pr-Version: 3.2

>Number:         15101
>Category:       bin
>Synopsis:       [PATCH] cdcontrol does not perform bounds checking WRT dev name lengths
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    joe
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Nov 26 06:50:00 PST 1999
>Closed-Date:    Sun Apr 30 13:22:38 PDT 2000
>Last-Modified:  Sun Apr 30 13:24:44 PDT 2000
>Originator:     Chris D. Faulhaber
>Release:        FreeBSD 3.3-STABLE i386
>Organization:
N/A
>Environment:

FreeBSD 3.3-STABLE and 4.0-CURRENT

>Description:

cdcontrol fails to perform basic bounds/sanity checking WRT device name
lengths.  Though this does not appear to be exploitable in any way (not
suid, etc), it can cause those annoying core dumps :)

>How-To-Repeat:

Using a file/path > 80 characters

% touch <long file/pathname>
% cdcontrol -f <long file/pathname> eject
Segmentation fault (core dumped)
% 

>Fix:

The following patch performs the necessary bounds checking.  Also, it
might be more proper to use MAXPATHLEN instead of the author's 80
char pathname limit.

Index: cdcontrol.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/cdcontrol/cdcontrol.c,v
retrieving revision 1.23
diff -u -r1.23 cdcontrol.c
--- cdcontrol.c	1999/11/18 23:04:38	1.23
+++ cdcontrol.c	1999/11/26 14:33:21
@@ -1042,11 +1042,11 @@
 		return (1);
 
 	if (*cdname == '/')
-		strcpy (devbuf, cdname);
+		snprintf (devbuf, 80, "%s", cdname);
 	else if (*cdname == 'r')
-		sprintf (devbuf, "/dev/%s", cdname);
+		snprintf (devbuf, 80, "/dev/%s", cdname);
 	else
-		sprintf (devbuf, "/dev/r%s", cdname);
+		snprintf (devbuf, 80, "/dev/r%s", cdname);
 
 	fd = open (devbuf, O_RDONLY);
 

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->suspended 
State-Changed-By: joe 
State-Changed-When: Sun Dec 5 12:05:55 PST 1999 
State-Changed-Why:  
Committed to -current (1.24). 
Suspended pending MFC. 


Responsible-Changed-From-To: freebsd-bugs->joe 
Responsible-Changed-By: joe 
Responsible-Changed-When: Sun Dec 5 12:05:55 PST 1999 
Responsible-Changed-Why:  
Cos I'm responsible for it now. 
State-Changed-From-To: suspended->closed 
State-Changed-By: joe 
State-Changed-When: Sun Apr 30 13:22:38 PDT 2000 
State-Changed-Why:  
Commited to RELENG_3 and RELENG_2_2. 
>Unformatted:
