From nobody  Tue Oct  6 15:28:00 1998
Received: (from nobody@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA14893;
          Tue, 6 Oct 1998 15:28:00 -0700 (PDT)
          (envelope-from nobody)
Message-Id: <199810062228.PAA14893@hub.freebsd.org>
Date: Tue, 6 Oct 1998 15:28:00 -0700 (PDT)
From: synk@swcp.com
To: freebsd-gnats-submit@freebsd.org
Subject: Buffer overflow in function called by getpwnam()
X-Send-Pr-Version: www-1.0

>Number:         8176
>Category:       bin
>Synopsis:       Buffer overflow in function called by getpwnam()
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct  6 15:30:01 PDT 1998
>Closed-Date:    Thu Oct 29 15:17:36 PST 1998
>Last-Modified:  Thu Oct 29 15:18:02 PST 1998
>Originator:     Brendan Conoboy
>Release:        2.2.7-STABLE FreeBSD 2.2.7-STABLE #0: Wed Sep 23 12:10:33
>Organization:
>Environment:
FreeBSD uspca.swcp.com 2.2.7-STABLE FreeBSD 2.2.7-STABLE #0: Wed Sep 23 12:10:33 MDT 1998     root@:/usr/src/sys/compile/uspca  i386

>Description:
When getpwnam() is passed a very large buffer, it will recieve a SIGBUS
or SIGSEGV.  As far as I've looked so far, it appears to manifest itself
in __hashpw(), possibly during this macro:

#define EXPAND(e)       e = t; while ( (*t++ = *p++) );

Though I'm no coder, I think the problem might be that in getpwnam,
"name" isn't necessarily null terminated. It is defined one byte
larger than what is bcopied into it, but the last byte might not
be zero.
>How-To-Repeat:
#include <stdio.h>
#include <sys/types.h>
#include <pwd.h>

char zeename[]="AVeryLongStringGoesHere";
struct passwd * gunk;

main()
{
gunk=getpwnam(zeename);
}

>Fix:
If it's really just a null termination problem, add the null.  I've
not yet recompiled my libraries to test this theory.

>Release-Note:
>Audit-Trail:

From: Archie Cobbs <archie@whistle.com>
To: freebsd-gnats-submit@freebsd.org
Cc:  Subject: Re: bin/8176: Buffer overflow in function called by getpwnam()
Date: Thu, 29 Oct 1998 11:09:32 -0800 (PST)

 Here's a patch that fixes the bug.
 
 -Archie
 
 ___________________________________________________________________________
 Archie Cobbs   *   Whistle Communications, Inc.  *   http://www.whistle.com
 
 Index: getpwent.c
 ===================================================================
 RCS file: /cvs/freebsd/src/lib/libc/gen/getpwent.c,v
 retrieving revision 1.44
 diff -u -r1.44 getpwent.c
 --- getpwent.c	1998/02/01 06:16:08	1.44
 +++ getpwent.c	1998/10/29 19:09:06
 @@ -145,8 +145,8 @@
  		return((struct passwd *)NULL);
  
  	bf[0] = _PW_KEYBYNAME;
 -	len = strlen(name);
 -	bcopy(name, bf + 1, MIN(len, UT_NAMESIZE));
 +	len = MIN(strlen(name), UT_NAMESIZE);
 +	bcopy(name, bf + 1, len);
  	key.data = (u_char *)bf;
  	key.size = len + 1;
  	rval = __hashpw(&key);
State-Changed-From-To: open->closed 
State-Changed-By: msmith 
State-Changed-When: Thu Oct 29 15:17:36 PST 1998 
State-Changed-Why:  
length computed correctly as per Archie's followup 
>Unformatted:
