From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: cracklib: Fix buffer overflow Date: Tue, 20 Sep 2016 13:43:10 -0400 Message-ID: <20160920174310.GA7204@jasmine> References: <20160915153646.GA31020@jasmine> <20160920093201.GB17906@macbook42.flashner.co.il> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="huq684BweRXVnRxX" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:54911) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bmP4o-0003Bf-EZ for guix-devel@gnu.org; Tue, 20 Sep 2016 13:43:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bmP4k-000405-Bf for guix-devel@gnu.org; Tue, 20 Sep 2016 13:43:26 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:42259) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bmP4j-0003u4-2n for guix-devel@gnu.org; Tue, 20 Sep 2016 13:43:22 -0400 Content-Disposition: inline In-Reply-To: <20160920093201.GB17906@macbook42.flashner.co.il> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Efraim Flashner Cc: guix-devel@gnu.org --huq684BweRXVnRxX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 20, 2016 at 12:32:02PM +0300, Efraim Flashner wrote: > > +diff --git a/src/lib/rules.c b/src/lib/rules.c > > +index d193cc0..3a2aa46 100644 > > +--- a/lib/rules.c > > ++++ b/lib/rules.c > > +@@ -434,9 +434,8 @@ Mangle(input, control) /* returns a pointer to a = controlled Mangle */ > > + { > > + int limit; > > + register char *ptr; > > +- static char area[STRINGSIZE]; > > +- char area2[STRINGSIZE]; > > +- area[0] =3D '\0'; > > ++ static char area[STRINGSIZE * 2] =3D {0}; > > ++ char area2[STRINGSIZE * 2] =3D {0}; > > + strcpy(area, input); > > +=20 > > + for (ptr =3D control; *ptr; ptr++) > > --=20 > > 2.10.0 > >=20 >=20 > not having looked at the full source of lib/rules.c, is there a maximum > value to STRINGSIZE to make sure STRINGSIZE * 2 doesn't wrap around? STRINGSIZE is defined in 'lib/packer.h' as 1024: https://github.com/cracklib/cracklib/blob/cracklib-2.9.6/src/lib/packer.h#L= 11 I just looked at all the uses of STRINGSIZE in order to give a brief overview of how it's used, but I'm not skilled enough to recognize every case where it might be dangerous and overflow. STRINGSIZE is used to declare many char arrays, an array of pointers, and as an argument to fgets, snprintf, and strncpy. Also the object macro TRUNCSTRINGSIZE is defined as (STRINGSIZE / 4). --huq684BweRXVnRxX Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJX4XUqAAoJECZG+jC6yn8IxXMQAMzoIISHINGlcJsYDcJV9/NE 2yE3zQJ4Ybo5J+URDwXN+ykvxiImOtNeju5kaF3yDmpWMNcoml6ANuPRtWEtVqBx ps5GIdgAxaDhds2tggdS4TlrTwqIluNvT+DtkzYExAo5UH7ZaNSA6FR99j0pkZUz DZfcXQrJvOyKGunJUBNcwixx2ivlvqWj+WNJcytiMtT1QshmYEeuLMBOgnWqRBxp /HouoA+Ozui20gBYNWcBta6VmArDFQDo4zp2xuVnmQYeExkgXGmbENyJvu1u3Vr6 n6bUSfThbpUJH4k/fK/Lmt5YPnacWtXGLAo7VJ+T+x3zk3EpyZK3y4O9FMUM5qbN TaBI/SCzJczdL+dPClDxw+r7itpOb4x2Fqgh6Ttz2Tk5faXEAFOE1rPbwSbOjZvA BrpGFQphuvH+HAADTKik3gzfoql6t8+fgChB8j1X1Bco5jHPsHIu+swSK6khQpEs lrXJGU7EXfQeB+MTyZdxM8yCw0BN27yWgB3u4lGoKHtnUwrmqIeJrZCwEq7Kf3cE STWshAFGd2MQ76oVjX+BwVseP7+TTqvE4Ubm/X5lk7srIPO5yfvoJzkvy5KuU07H 7kbyfnWkD2xD5cjG9GJ8Mhsp0lO12/erBKX6nx+oKzk373Z4D6EyvXWGwnBCnE/D 1QLjDTY5gjSznMKNfvQH =nR6w -----END PGP SIGNATURE----- --huq684BweRXVnRxX--