From toasty@celery.dragondata.com  Thu Jan 27 22:05:26 2000
Return-Path: <toasty@celery.dragondata.com>
Received: from celery.dragondata.com (celery.dragondata.com [205.253.12.6])
	by hub.freebsd.org (Postfix) with ESMTP id A80CB14C16
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 27 Jan 2000 22:05:20 -0800 (PST)
	(envelope-from toasty@celery.dragondata.com)
Received: (from root@localhost)
	by celery.dragondata.com (8.9.3/8.9.3) id AAA83141;
	Fri, 28 Jan 2000 00:05:11 -0600 (CST)
	(envelope-from toasty)
Message-Id: <200001280605.AAA83141@celery.dragondata.com>
Date: Fri, 28 Jan 2000 00:05:11 -0600 (CST)
From: Kevin Day <toasty@dragondata.com>
Sender: toasty@celery.dragondata.com
Reply-To: toasty@dragondata.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: Buffer overflow in procctl(8)
X-Send-Pr-Version: 3.2

>Number:         16415
>Category:       bin
>Synopsis:       Buffer overflow in procctl(8)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 27 22:10:01 PST 2000
>Closed-Date:    Mon Feb 21 03:07:34 PST 2000
>Last-Modified:  Mon Feb 21 03:08:51 PST 2000
>Originator:     Kevin Day
>Release:        FreeBSD 3.4-STABLE i386
>Organization:
DragonData Internet Services
>Environment:

Any FreeBSD system

>Description:

Procctl has a simple buffer overflow. It's not suid, so I wouldn't consider
this a security problem.

>How-To-Repeat:

su-2.03# procctl 22348723894723984728974892748923894729834728934798273489273498274
Segmentation fault (core dumped)

>Fix:
	
--- procctl.c   Thu Jan 27 23:55:57 2000
+++ procctl.c   Thu Jan 27 23:56:57 2000
@@ -63,7 +63,7 @@
   for (i = 1; i < ac; i++) {
     char buf[32];

-    sprintf(buf, "/proc/%s/mem", av[i]);
+    snprintf(buf, sizeof(buf), "/proc/%s/mem", av[i]);
     fd = open(buf, O_RDWR);
     if (fd == -1) {
       if (errno == ENOENT)


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: ru 
State-Changed-When: Mon Feb 21 03:07:34 PST 2000 
State-Changed-Why:  
Patch applied, thanks! 
>Unformatted:
