[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150808162918.GC32423@port70.net>
Date: Sat, 8 Aug 2015 18:29:19 +0200
From: Szabolcs Nagy <nsz@...t70.net>
To: musl@...ts.openwall.com
Subject: Re: [PATCH] fix failure of tempnam to null-terminate result
* Felix Janda <felix.janda@...teo.de> [2015-08-08 19:25:13 +0200]:
> tempnam uses an uninitialized buffer which is filled using memcpy and
> __randname. It is therefore necessary to explicitly null-terminate it.
ouch
i think this bug is not exploitable
but in the same function there is a possible overflow issue:
dl = strlen(dir);
pl = strlen(pfx);
l = dl + 1 + pl + 1 + 6;
if l overflows here then memcpy can overwrite the stack.
> ---
> src/stdio/tempnam.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/stdio/tempnam.c b/src/stdio/tempnam.c
> index 45a5f26..b938b31 100644
> --- a/src/stdio/tempnam.c
> +++ b/src/stdio/tempnam.c
> @@ -33,6 +33,7 @@ char *tempnam(const char *dir, const char *pfx)
> s[dl] = '/';
> memcpy(s+dl+1, pfx, pl);
> s[dl+1+pl] = '_';
> + s[l] = '\0';
>
> for (try=0; try<MAXTRIES; try++) {
> __randname(s+l-6);
> --
> 2.4.6
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
