bentson (01/11/83)
Here's a funny bug in finger. It's been around our site for a while, but it comes and goes and we only just now found the problem. If the gcos field is empty and the length of the home directory field is longer than the size of buffer-2, then the code to pick up sub-fields within matchcmp will overrun the buffer (stepping on part of the call stack frame). We have added both code to ensure that the empty gcos field is identified and code to make sure that a long name doesn't overrun the buffer. *** finger.Nov13 Fri Nov 13 10:35:48 1981 --- finger.c Mon Jan 10 13:46:05 1983 *************** --- 65 ----- + #define NAMESIZE 20 /* maximum size name field */ *************** *** 1233,1239 char *login; char *given; { ! char buffer[ 20 ]; char c; int flag, i, unfound; --- 1235,1241 ----- char *login; char *given; { ! char buffer[ NAMESIZE ]; char c; int flag, i, unfound; *************** *** 1254,1260 while( unfound ) { if( flag ) { c = *gname++; ! if( c == SAMENAME ) { flag = 0; c = *login++; } --- 1256,1265 ----- while( unfound ) { if( flag ) { c = *gname++; ! if ( c == NULL ){ ! break; ! } ! else if( c == SAMENAME ) { flag = 0; c = *login++; } *************** *** 1283,1289 flag = 1; } else { ! buffer[ i++ ] = c; } } buffer[i++] = NULL; --- 1288,1299 ----- flag = 1; } else { ! if( i == NAMESIZE - 1 ){ ! fprintf(stderr, ! "size of name in /etc/passwd is too long"); ! break; ! }else ! buffer[ i++ ] = c; } } buffer[i++] = NULL; Craig VanWagner Randy Bentson Colo State U - Comp Sci
toddb (01/18/83)
#R:csu-cs:-196800:tekcrd:2500001:000:1862 tekcrd!toddb Jan 18 06:31:00 1983 ***** tektronix:net.bugs / csu-cs!bentson / 9:15 am Jan 11, 1983 Here's a funny bug in finger. It's been around our site for a while, but it comes and goes and we only just now found the problem. If the gcos field is empty and the length of the home directory field is longer than the size of buffer-2, then the code to pick up sub-fields within matchcmp will overrun the buffer (stepping on part of the call stack frame). We have added both code to ensure that the empty gcos field is identified and code to make sure that a long name doesn't overrun the buffer. *** finger.Nov13 Fri Nov 13 10:35:48 1981 --- finger.c Mon Jan 10 13:46:05 1983 *************** --- 65 ----- + #define NAMESIZE 20 /* maximum size name field */ *************** *** 1233,1239 char *login; char *given; { ! char buffer[ 20 ]; char c; int flag, i, unfound; --- 1235,1241 ----- char *login; char *given; { ! char buffer[ NAMESIZE ]; char c; int flag, i, unfound; *************** *** 1254,1260 while( unfound ) { if( flag ) { c = *gname++; ! if( c == SAMENAME ) { flag = 0; c = *login++; } --- 1256,1265 ----- while( unfound ) { if( flag ) { c = *gname++; ! if ( c == NULL ){ ! break; ! } ! else if( c == SAMENAME ) { flag = 0; c = *login++; } *************** *** 1283,1289 flag = 1; } else { ! buffer[ i++ ] = c; } } buffer[i++] = NULL; --- 1288,1299 ----- flag = 1; } else { ! if( i == NAMESIZE - 1 ){ ! fprintf(stderr, ! "size of name in /etc/passwd is too long"); ! break; ! }else ! buffer[ i++ ] = c; } } buffer[i++] = NULL; Craig VanWagner Randy Bentson Colo State U - Comp Sci ----------