|
Date: Sat, 8 Aug 2015 18:29:19 +0200 From: Szabolcs Nagy <nsz@...t70.net> To: musl@...ts.openwall.com Subject: Re: [PATCH] fix failure of tempnam to null-terminate result * Felix Janda <felix.janda@...teo.de> [2015-08-08 19:25:13 +0200]: > tempnam uses an uninitialized buffer which is filled using memcpy and > __randname. It is therefore necessary to explicitly null-terminate it. ouch i think this bug is not exploitable but in the same function there is a possible overflow issue: dl = strlen(dir); pl = strlen(pfx); l = dl + 1 + pl + 1 + 6; if l overflows here then memcpy can overwrite the stack. > --- > src/stdio/tempnam.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/src/stdio/tempnam.c b/src/stdio/tempnam.c > index 45a5f26..b938b31 100644 > --- a/src/stdio/tempnam.c > +++ b/src/stdio/tempnam.c > @@ -33,6 +33,7 @@ char *tempnam(const char *dir, const char *pfx) > s[dl] = '/'; > memcpy(s+dl+1, pfx, pl); > s[dl+1+pl] = '_'; > + s[l] = '\0'; > > for (try=0; try<MAXTRIES; try++) { > __randname(s+l-6); > -- > 2.4.6
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.