From nick@maths.tcd.ie  Mon Jul 21 06:35:20 1997
Received: from salmon.maths.tcd.ie (mmdf@salmon.maths.tcd.ie [134.226.81.11])
          by hub.freebsd.org (8.8.5/8.8.5) with SMTP id GAA13587
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 21 Jul 1997 06:35:18 -0700 (PDT)
Received: from synge.maths.tcd.ie by salmon.maths.tcd.ie  with SMTP id aa25218;
          21 Jul 97 14:35 +0100
Message-Id: <9707211435.aa01849@synge.maths.tcd.ie>
Date: Mon, 21 Jul 97 14:35:08 +0100
From: nick@foobar.org
Sender: nick@maths.tcd.ie
Reply-To: nick@foobar.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: Possible buffer overflow in lib/libc/gen/getpwent.c
X-Send-Pr-Version: 3.2

>Number:         4134
>Category:       bin
>Synopsis:       Potential bufferflow in getpwent(), getpwnam() and getpwuid()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 21 06:40:01 PDT 1997
>Closed-Date:    Sun Sep 14 11:13:21 PDT 1997
>Last-Modified:  Sun Sep 14 11:17:16 PDT 1997
>Originator:     Nick Hilliard
>Release:        FreeBSD 2.2-STABLE i386
>Organization:
Ireland Online
>Environment:

	(src code)

>Description:

	__hashpw() in lib/libc/gen/getpwent.c uses a flawed mechanism
	for allocating on-the-fly static buffer space for passwd
	entries.  The mechanism checks to see if the currently
	assigned buffer is big enough.  If it isn't, then it
	increases it by 1024 chars.  If __hashpw() is called with
	a data structure of size more than 1024 bytes larger that
	the currently assigned buffer, it's possible that other
	data could be overwritten.

>How-To-Repeat:

	Set gecos to be large (>1024 chars) and then call getpwent().

>Fix:
	
	On line 292 of getpwent.c, replace:

        if (data.size > max && !(line = realloc(line, max += 1024)))
                return(0);

with:

        if (data.size > max) {
                max = data.size + 1024;
                if (!(line = realloc(line, max)))
                        return NULL;
        }


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: wosch 
State-Changed-When: Sun Sep 14 11:13:21 PDT 1997 
State-Changed-Why:  

Submitted patch applied. Thanks! 
src/lib/libc/gen/getpwent.c,v revision: 1.41 
>Unformatted:
