[net.bugs] Finger bug

bentson (01/11/83)

Here's a funny bug in finger. It's been around our site for a while,
but it comes and goes and we only just now found the problem.

If the gcos field is empty and the length of the home directory field
is longer than the size of buffer-2, then the code to pick up sub-fields
within matchcmp will overrun the buffer (stepping on part of the call
stack frame). We have added both code to ensure that the empty gcos field
is identified and code to make sure that a long name doesn't overrun the
buffer.

*** finger.Nov13	Fri Nov 13 10:35:48 1981
--- finger.c		Mon Jan 10 13:46:05 1983
***************
--- 65 -----
+ #define		NAMESIZE	20	/* maximum size name field */
***************
*** 1233,1239
      char		*login;
      char		*given;
  {
! 	char		buffer[ 20 ];
  	char		c;
  	int		flag,  i,  unfound;
  

--- 1235,1241 -----
      char		*login;
      char		*given;
  {
! 	char		buffer[ NAMESIZE ];
  	char		c;
  	int		flag,  i,  unfound;
  
***************
*** 1254,1260
  		while(  unfound  )  {
  		    if( flag )  {
  			c = *gname++;
! 			if( c == SAMENAME )  {
  			    flag = 0;
  			    c = *login++;
  			}

--- 1256,1265 -----
  		while(  unfound  )  {
  		    if( flag )  {
  			c = *gname++;
! 			if ( c == NULL ){
! 			    break;
! 			}
! 			else if( c == SAMENAME )  {
  			    flag = 0;
  			    c = *login++;
  			}
***************
*** 1283,1289
  			flag = 1;
  		    }
  		    else  {
! 			buffer[ i++ ] = c;
  		    }
  		}
  		buffer[i++] = NULL;

--- 1288,1299 -----
  			flag = 1;
  		    }
  		    else  {
! 			if( i == NAMESIZE - 1 ){
! 			    fprintf(stderr,
! 				"size of name in /etc/passwd is too long");
! 			    break;
! 			}else
! 			    buffer[ i++ ] = c;
  		    }
  		}
  		buffer[i++] = NULL;


Craig VanWagner
Randy Bentson
Colo State U - Comp Sci

toddb (01/18/83)

#R:csu-cs:-196800:tekcrd:2500001:000:1862
tekcrd!toddb    Jan 18 06:31:00 1983

***** tektronix:net.bugs / csu-cs!bentson /  9:15 am  Jan 11, 1983
Here's a funny bug in finger. It's been around our site for a while,
but it comes and goes and we only just now found the problem.

If the gcos field is empty and the length of the home directory field
is longer than the size of buffer-2, then the code to pick up sub-fields
within matchcmp will overrun the buffer (stepping on part of the call
stack frame). We have added both code to ensure that the empty gcos field
is identified and code to make sure that a long name doesn't overrun the
buffer.

*** finger.Nov13	Fri Nov 13 10:35:48 1981
--- finger.c		Mon Jan 10 13:46:05 1983
***************
--- 65 -----
+ #define		NAMESIZE	20	/* maximum size name field */
***************
*** 1233,1239
      char		*login;
      char		*given;
  {
! 	char		buffer[ 20 ];
  	char		c;
  	int		flag,  i,  unfound;
  

--- 1235,1241 -----
      char		*login;
      char		*given;
  {
! 	char		buffer[ NAMESIZE ];
  	char		c;
  	int		flag,  i,  unfound;
  
***************
*** 1254,1260
  		while(  unfound  )  {
  		    if( flag )  {
  			c = *gname++;
! 			if( c == SAMENAME )  {
  			    flag = 0;
  			    c = *login++;
  			}

--- 1256,1265 -----
  		while(  unfound  )  {
  		    if( flag )  {
  			c = *gname++;
! 			if ( c == NULL ){
! 			    break;
! 			}
! 			else if( c == SAMENAME )  {
  			    flag = 0;
  			    c = *login++;
  			}
***************
*** 1283,1289
  			flag = 1;
  		    }
  		    else  {
! 			buffer[ i++ ] = c;
  		    }
  		}
  		buffer[i++] = NULL;

--- 1288,1299 -----
  			flag = 1;
  		    }
  		    else  {
! 			if( i == NAMESIZE - 1 ){
! 			    fprintf(stderr,
! 				"size of name in /etc/passwd is too long");
! 			    break;
! 			}else
! 			    buffer[ i++ ] = c;
  		    }
  		}
  		buffer[i++] = NULL;


Craig VanWagner
Randy Bentson
Colo State U - Comp Sci
----------