From zach@gaffaneys.com  Sat Oct 10 01:10:34 1998
Received: from k6n1.znh.org (dialup4.gaffaneys.com [208.155.161.54])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA05492
          for <FreeBSD-gnats-submit@freebsd.org>; Sat, 10 Oct 1998 01:10:32 -0700 (PDT)
          (envelope-from zach@gaffaneys.com)
Received: (from zach@localhost)
	by k6n1.znh.org (8.9.1/8.9.1) id IAA13069;
	Sat, 10 Oct 1998 08:10:40 GMT
	(envelope-from zach)
Message-Id: <199810100810.IAA13069@k6n1.znh.org>
Date: Sat, 10 Oct 1998 08:10:40 GMT
From: zach@gaffaneys.com
Reply-To: zach@gaffaneys.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: buffer overflow in mail(1)
X-Send-Pr-Version: 3.2

>Number:         8250
>Category:       bin
>Synopsis:       buffer overflow in mail(1)
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Oct 10 01:20:01 PDT 1998
>Closed-Date:    Sat Oct 10 02:58:31 PDT 1998
>Last-Modified:  Sat Oct 10 03:00:07 PDT 1998
>Originator:     Zach Heilig
>Release:        FreeBSD 3.0-BETA i386
>Organization:
none
>Environment:

>Description:

>How-To-Repeat:

1) set TMPDIR to any string longer than 14 characters.
2) run 'mail'

Thanks to Studded (Doug) for stumbling across this one :-)

>Fix:

Index: temp.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/mail/temp.c,v
retrieving revision 1.3
diff -u -r1.3 temp.c
--- temp.c	1997/07/24 06:56:33	1.3
+++ temp.c	1998/10/10 07:16:34
@@ -49,11 +49,11 @@
  * Give names to all the temporary files that we will need.
  */
 
-char	tempMail[24];
-char	tempQuit[24];
-char	tempEdit[24];
-char	tempResid[24];
-char	tempMesg[24];
+char	tempMail[FILENAME_MAX];
+char	tempQuit[FILENAME_MAX];
+char	tempEdit[FILENAME_MAX];
+char	tempResid[FILENAME_MAX];
+char	tempMesg[FILENAME_MAX];
 char	*tmpdir;
 
 void
@@ -72,6 +72,11 @@
 		cp[len] = '/';
 		cp[len + 1] = '\0';
 		tmpdir = cp;
+	}
+
+	if ((strlen(tmpdir) + sizeof("RsXXXXXX")) > sizeof tempMail) {
+	  printf("ERROR: Temporary filename buffers are not big enough!\n");
+	  exit(1);
 	}
 
 	strcpy(tempMail, tmpdir);
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: thepish 
State-Changed-When: Sat Oct 10 02:58:31 PDT 1998 
State-Changed-Why:  
Fixed (using malloc as opposed to supplied patch). Redefined tempMail[] as 
char *tempMail (etc) throughout. 

Thanks (thanks too to Studded). 
>Unformatted:
