From nobody@FreeBSD.org  Wed Feb 23 22:37:19 2000
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id 4A15337BAFF
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 23 Feb 2000 22:37:19 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id WAA69495;
	Wed, 23 Feb 2000 22:37:19 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Message-Id: <200002240637.WAA69495@freefall.freebsd.org>
Date: Wed, 23 Feb 2000 22:37:19 -0800 (PST)
From: spock@techfour.net
Sender: nobody@FreeBSD.org
To: freebsd-gnats-submit@FreeBSD.org
Subject: [PATCH] catopen(3) in libc can overflow on $NLSPATH
X-Send-Pr-Version: www-1.0

>Number:         16954
>Category:       misc
>Synopsis:       [PATCH] catopen(3) in libc can overflow on $NLSPATH
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kris
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Feb 23 22:40:01 PST 2000
>Closed-Date:    Fri Oct 6 19:59:00 PDT 2000
>Last-Modified:  Fri Oct 06 19:59:17 PDT 2000
>Originator:     Mike Heffner
>Release:        4.0-current
>Organization:
>Environment:
FreeBSD 4.0-CURRENT #0: Sat Feb 19 20:05:45 EST 2000
>Description:
The function catopen(3) in libc can overflow if $NLSPATH is too long.
This can be noticed by running /usr/bin/ee.
>How-To-Repeat:
$ NLSPATH=[5120] ee
>Fix:
Apply patch and recompile libc

Index: lib/libc/nls/msgcat.c
===================================================================
RCS file: /home/ncvs/src/lib/libc/nls/msgcat.c,v
retrieving revision 1.21
diff -u -r1.21 msgcat.c
--- msgcat.c    2000/01/27 23:06:33     1.21
+++ msgcat.c    2000/02/02 19:38:09
@@ -92,8 +92,9 @@
     char        *nlspath;
     char       *lang;
     long       len;
-    char       *base, *cptr, *pathP;
+    char       *base, *cptr;
     struct stat        sbuf;
+    int         j;

     if (!name || !*name) {
        errno = EINVAL;
@@ -127,20 +128,22 @@
        for (nlspath = cptr; *cptr; ++cptr) {
            if (*cptr == ':') {
                *cptr = '\0';
-               for (pathP = path; *nlspath; ++nlspath) {
+               for (j=0; *nlspath; ++nlspath) {
                    if (*nlspath == '%') {
                        if (*(nlspath + 1) == 'L') {
                            ++nlspath;
-                           strcpy(pathP, lang);
-                           pathP += strlen(lang);
+                           strncpy(path+j, lang, sizeof(path)-j-1);
+                           j += strlen(path+j);
                        } else if (*(nlspath + 1) == 'N') {
                            ++nlspath;
-                           strcpy(pathP, name);
-                           pathP += strlen(name);
-                       } else *(pathP++) = *nlspath;
-                   } else *(pathP++) = *nlspath;
+                           strncpy(path+j, name, sizeof(path)-j-1);
+                           j += strlen(path+j);
+                       } else if(sizeof(path)-j-1)
+                          path[j++] = *nlspath;
+                   } else if(sizeof(path)-j-1)
+                      path[j++] = *nlspath;
                }
-               *pathP = '\0';
+               path[j] = '\0';
                if (stat(path, &sbuf) == 0) {
                    catpath = path;
                    break;



>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->kris 
Responsible-Changed-By: kris 
Responsible-Changed-When: Fri Aug 4 15:23:44 PDT 2000 
Responsible-Changed-Why:  
I'll look at this since I already developed my own patch. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=16954 
State-Changed-From-To: open->closed 
State-Changed-By: kris 
State-Changed-When: Fri Oct 6 19:59:00 PDT 2000 
State-Changed-Why:  
Problem resolved - thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=16954 
>Unformatted:
