NetBSD Problem Report #53362

From www@NetBSD.org  Wed Jun 13 13:57:36 2018
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 410FD7A1D2
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 13 Jun 2018 13:57:36 +0000 (UTC)
Message-Id: <20180613135735.166047A261@mollari.NetBSD.org>
Date: Wed, 13 Jun 2018 13:57:35 +0000 (UTC)
From: thomas.barabosch@fkie.fraunhofer.de
Reply-To: thomas.barabosch@fkie.fraunhofer.de
To: gnats-bugs@NetBSD.org
Subject: Unsafe copy in bin/pax (pat_rep.c, function 
X-Send-Pr-Version: www-1.0

>Number:         53362
>Category:       bin
>Synopsis:       Unsafe copy in bin/pax (pat_rep.c, function
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jun 13 14:00:00 +0000 2018
>Closed-Date:    Sat Jun 16 00:53:47 +0000 2018
>Last-Modified:  Sat Jun 16 00:53:47 +0000 2018
>Originator:     Thomas Barabosch
>Release:        7.1.2
>Organization:
Fraunhofer FKIE
>Environment:
>Description:
There is a (theoretical) overflow in bin/pax. The function rep_name of file pat_rep.c does not check the size of input buffer name before it copies it into the local buffer buf1. Though, this is unlikely to trigger, to improve code quality, it would be better to use strlcpy instead of strcpy. This issue was fixed in FreeBSD (commit e9f93eed438913bd030866f9c8660fb2678b97d6 of github mirror).
>How-To-Repeat:

>Fix:
--- pat_rep.c	2018-06-13 11:00:17.591854034 +0200
+++ pat_rep.c.patched	2018-06-13 15:34:14.310301128 +0200
@@ -924,7 +924,7 @@
 	 * (the user already saw that substitution go by)
 	 */
 	pt = rephead;
-	(void)strcpy(buf1, name);
+	(void)strlcpy(buf1, name, sizeof(buf1));
 	inpt = buf1;
 	outpt = nname;
 	endpt = outpt + PAXPATHLEN;

>Release-Note:

>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/53362 CVS commit: src/bin/pax
Date: Wed, 13 Jun 2018 11:14:41 -0400

 Module Name:	src
 Committed By:	christos
 Date:		Wed Jun 13 15:14:41 UTC 2018

 Modified Files:
 	src/bin/pax: pat_rep.c

 Log Message:
 PR/53362: Thomas Barabosch: Use strlcpy() to prevent theoretical buffer
 overflow.


 To generate a diff of this commit:
 cvs rdiff -u -r1.29 -r1.30 src/bin/pax/pat_rep.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: snj@NetBSD.org
State-Changed-When: Sat, 16 Jun 2018 00:53:47 +0000
State-Changed-Why:
christos committed your patch.  thanks!


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.