From nobody  Fri Jul 24 01:51:18 1998
Received: (from nobody@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id BAA21771;
          Fri, 24 Jul 1998 01:51:18 -0700 (PDT)
          (envelope-from nobody)
Message-Id: <199807240851.BAA21771@hub.freebsd.org>
Date: Fri, 24 Jul 1998 01:51:18 -0700 (PDT)
From: bonga@doxx.net
To: freebsd-gnats-submit@freebsd.org
Subject: the libslang-1.2.2 seems to have a minor buffer overflow in it ...
X-Send-Pr-Version: www-1.0

>Number:         7387
>Category:       ports
>Synopsis:       the libslang-1.2.2 seems to have a minor buffer overflow in it ...
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jul 24 02:00:01 PDT 1998
>Closed-Date:    Sun Jul 26 17:35:34 PDT 1998
>Last-Modified:  Sun Jul 26 17:36:22 PDT 1998
>Originator:     saad
>Release:        2.2.6
>Organization:
n/a
>Environment:
FreeBSD patla.webbernet.net 2.2.6-RELEASE FreeBSD 2.2.6-RELEASE #0: Mon Jul 20 02:39:31 EDT 1998     root@patla.webbernet.net:/usr/src.1/sys/compile/GENERIC  i386

>Description:
/usr/ports/devel/libslang/work/slang/src/sltermin.c:

char *tidir;
char *term;  /* passed into the function ... */
char file[1024];


275        if ((tidir != NULL)
276            && (sizeof (file) > strlen (tidir) + 2 + strlen (term)))
277          {
278            sprintf (file, "%s/%c/%s", tidir, *term, term);

>How-To-Repeat:
if the two strings in question are of combined length of 1021,
1021 + 2 would fullfil the less-than 1024 (sizeof(file)) length.

but when sprinting more than three extra characters apart from these
strings are required
these would be '/', %c, '/' _AND_ the ending NULL character, which 
seems to be pushed into somethings elses memory space
>Fix:
either of these two should work:
either:

1. use snprintf instead of sprintf so that the NULL char doesn't 
 overwrite anything even tho it might concatenate the string by one
 character

or:
2. converting line 276 to:
&& (sizeof (file) > strlen (tidir) + 3 + strlen (term)))
                                    ^^^

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: steve 
State-Changed-When: Sun Jul 26 17:35:34 PDT 1998 
State-Changed-Why:  
Suggested patch committed, thanks! 
>Unformatted:
