From root@mindstep.com  Thu Nov 23 16:45:28 2000
Return-Path: <root@mindstep.com>
Received: from modemcable101.200-201-24.mtl.mc.videotron.ca (modemcable140.61-201-24.mtl.mc.videotron.ca [24.201.61.140])
	by hub.freebsd.org (Postfix) with SMTP id 54F9A37B4C5
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 23 Nov 2000 16:45:26 -0800 (PST)
Received: (qmail 36670 invoked from network); 24 Nov 2000 00:45:24 -0000
Received: from nitro.local.mindstep.com (HELO nitro) (postfix@192.168.10.2)
  by jacuzzi.local.mindstep.com with SMTP; 24 Nov 2000 00:45:24 -0000
Received: by nitro (Postfix, from userid 0)
	id 1A7322703C6; Thu, 23 Nov 2000 19:45:22 -0500 (EST)
Message-Id: <20001124004522.1A7322703C6@nitro>
Date: Thu, 23 Nov 2000 19:45:22 -0500 (EST)
From: patrick@mindstep.com
Sender: root@mindstep.com
Reply-To: patrick@mindstep.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: the kernel config utility crashes with large path
X-Send-Pr-Version: 3.2

>Number:         23057
>Category:       kern
>Synopsis:       the kernel config utility crashes with large path
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    imp
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 23 16:50:00 PST 2000
>Closed-Date:    Thu Nov 23 22:44:50 PST 2000
>Last-Modified:  Thu Nov 23 22:45:57 PST 2000
>Originator:     Patrick Bihan-Faou
>Release:        FreeBSD 4.1.1-STABLE i386
>Organization:
MindStep Corporation
>Environment:

Up-to-date source code from the 4-STABLE branch (cvs co as of Nov, 22)

>Description:

The config utility used to configure a customized kernel can not accept
long path names as arguments. Many internal variables are not sized properly
(usually 80 characters !!!), and unsafe string copies are performed all
over the place.


>How-To-Repeat:

config  -d /a/path/obviously/longer/than/80/characters/which/can/happen/easily/if/you/keep/your/source/in/a/non/standard/directory/src/sys/KERNELNAME KERNELNAME

will provoke the appropriate crash.

>Fix:


The following set of patches for /usr/sbin/config fix a bunch of unsafe
string manipulations and size the variables containing path to be
MAXPATHLEN long.



--- main.c.orig
+++ main.c
@@ -98,7 +98,7 @@
 		switch (ch) {
 		case 'd':
 			if (*destdir == '\0')
-				strcpy(destdir, optarg);
+				strncpy(destdir, optarg, sizeof(destdir));
 			else
 				errx(2, "directory already set");
 			break;
@@ -135,8 +135,8 @@
 			destdir[--len] = '\0';
 		get_srcdir();
 	} else {
-		strcpy(destdir, CDIR);
-		strcat(destdir, PREFIX);
+		strncpy(destdir, CDIR, sizeof(destdir));
+		strncat(destdir, PREFIX, sizeof(destdir)-strlen(destdir));
 	}
 
 	p = path((char *)NULL);
@@ -183,7 +183,7 @@
 	 * and similarly for "machine".
 	 */
 	{
-	char xxx[80];
+	char xxx[MAXPATHLEN];
 	if (*srcdir == '\0')
 		(void)snprintf(xxx, sizeof(xxx), "../../%s/include",
 		    machinename);
--- mkheaders.c.orig
+++ mkheaders.c
@@ -43,6 +43,7 @@
  * Make all the .h files for the optional entries
  */
 
+#include <sys/param.h>
 #include <ctype.h>
 #include <err.h>
 #include <stdio.h>
@@ -220,10 +221,10 @@
 toheader(dev)
 	char *dev;
 {
-	static char hbuf[80];
+	static char hbuf[MAXPATHLEN];
 
-	(void) strcpy(hbuf, path(dev));
-	(void) strcat(hbuf, ".h");
+	(void) strncpy(hbuf, path(dev), sizeof(hbuf));
+	(void) strncat(hbuf, ".h", sizeof(hbuf)-strlen(hbuf));
 	return (hbuf);
 }
 
--- mkmakefile.c.orig
+++ mkmakefile.c
@@ -45,6 +45,7 @@
  * additional files for the machine being compiled to.
  */
 
+#include <sys/param.h>
 #include <ctype.h>
 #include <err.h>
 #include <stdio.h>
@@ -232,7 +233,7 @@
 	struct device *save_dp;
 	register struct opt *op;
 	char *wd, *this, *needs, *special, *depends, *clean, *warn;
-	char fname[80];
+	char fname[MAXPATHLEN];
 	int ddwarned = 0;
 	int nreqs, first = 1, configdep, isdup, std, filetype,
 	    imp_rule, no_obj, before_depend, mandatory;
--- mkoptions.c.orig
+++ mkoptions.c
@@ -44,6 +44,7 @@
  * Make all the .h files for the optional entries
  */
 
+#include <sys/param.h>
 #include <ctype.h>
 #include <err.h>
 #include <stdio.h>
@@ -275,21 +276,21 @@
 tooption(name)
 	char *name;
 {
-	static char hbuf[80];
-	char nbuf[80];
+	static char hbuf[MAXPATHLEN];
+	char nbuf[MAXPATHLEN];
 	struct opt_list *po;
 
 	/* "cannot happen"?  the otab list should be complete.. */
-	(void) strcpy(nbuf, "options.h");
+	(void) strncpy(nbuf, "options.h", sizeof(nbuf));
 
 	for (po = otab ; po != 0; po = po->o_next) {
 		if (eq(po->o_name, name)) {
-			strcpy(nbuf, po->o_file);
+			strncpy(nbuf, po->o_file, sizeof(nbuf));
 			break;
 		}
 	}
 
-	(void) strcpy(hbuf, path(nbuf));
+	(void) strncpy(hbuf, path(nbuf), sizeof(nbuf));
 	return (hbuf);
 }
 
@@ -300,7 +301,7 @@
 read_options()
 {
 	FILE *fp;
-	char fname[80];
+	char fname[MAXPATHLEN];
 	char *wd, *this, *val;
 	struct opt_list *po;
 	int first = 1;



>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: roam 
State-Changed-When: Thu Nov 23 22:44:50 PST 2000 
State-Changed-Why:  
Aren't those exactly the patches that Warner Losch committed on Nov 21, 
around 20:00 UTC?  Look at the following revisions of the files: 

Filename	HEAD	RELENG_4 

main.c		1.41	1.37.2.2 
mkheaders.c	1.17	1.14.2.1 
mkmakefile.c	1.56	1.51.2.2 
mkoptions.c	1.21	1.17.2.2 


Responsible-Changed-From-To: freebsd-bugs->imp 
Responsible-Changed-By: roam 
Responsible-Changed-When: Thu Nov 23 22:44:50 PST 2000 
Responsible-Changed-Why:  
Warner Losch committed this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=23057 
>Unformatted:
