From ada@not-enough.bandwidth.org  Mon Sep 22 23:07:08 1997
Received: from polya.blah.org (slmel12p01.ozemail.com.au [203.108.200.89])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA20771
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 22 Sep 1997 23:07:06 -0700 (PDT)
Received: (from ada@localhost)
          by polya.blah.org (8.8.6/8.8.5) id QAA00814;
          Tue, 23 Sep 1997 16:06:56 +1000 (EST)
Message-Id: <199709230606.QAA00814@polya.blah.org>
Date: Tue, 23 Sep 1997 16:06:56 +1000 (EST)
From: Ada T Lim <ada@not-enough.bandwidth.org>
Reply-To: ada@not-enough.bandwidth.org
To: FreeBSD-gnats-submit@freebsd.org
Cc: dholland@burgundy.eecs.harvard.edu
Subject: potential buffer overrun in bootparamd
X-Send-Pr-Version: 3.2

>Number:         4610
>Category:       bin
>Synopsis:       potential buffer overrun in bootparamd
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 22 23:10:01 PDT 1997
>Closed-Date:    Sun Oct 19 12:42:54 MEST 1997
>Last-Modified:  Tue Nov 27 19:24:37 PST 2001
>Originator:     Ada T Lim
>Release:        FreeBSD 2.2-STABLE i386
>Organization:
>Environment:

>Description:

bootparamd copies h_name into askname, a statically sized buffer of 255
bytes.  MAXHOSTNAMELEN is 256 bytes.

patch written by David Holland (dholland@burgundy.eecs.harvard.edu)

>How-To-Repeat:
>Fix:
--- bootparamd.c.dist   Tue Sep 23 01:33:56 1997
+++ bootparamd.c        Tue Sep 23 01:39:26 1997
@@ -68,7 +68,9 @@
   if (debug) warnx("this is host %s", he->h_name);
   if (dolog) syslog(LOG_NOTICE,"This is host %s\n", he->h_name);

-  strcpy(askname, he->h_name);
+  strncpy(askname, he->h_name, sizeof(askname));
+  askname[sizeof(askname)-1] = 0;
+
   if (checkhost(askname, hostname) ) {
     res.client_name = hostname;
     getdomainname(domain_name, MAX_MACHINE_NAME);
@@ -123,7 +125,9 @@
   he = gethostbyname(getfile->client_name);
   if (! he ) goto failed;

-  strcpy(askname,he->h_name);
+  strncpy(askname, he->h_name, sizeof(askname));
+  askname[sizeof(askname)-1] = 0;
+
   if (getthefile(askname, getfile->file_id,buffer)) {
     if ( (where = index(buffer,':')) ) {
       /* buffer is re-written to contain the name of the info of file */
@@ -314,7 +318,8 @@
         he = gethostbyname(askname);
         if (he && !strcmp(askname, he->h_name)) {
          res = 1;
-         sprintf(hostname,"%s", he->h_name);
+         // XXX the length should really be an arg to this function...
+         snprintf(hostname, MAX_MACHINE_NAME, "%s", he->h_name);
        }
       }
       if (fclose(bpf))

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: joerg 
State-Changed-When: Sun Oct 19 12:42:54 MEST 1997 
State-Changed-Why:  

Fix applied (with more fixes added) in rev 1.8.  Thanks! 
>Unformatted:
