From: deraadt Date: Thu, 12 Sep 1996 19:25:42 +0000 (+0000) Subject: sendmail gecos oflow -- found by mudge, this fix by downsj. I knew about this X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=c54627d175e35a91f1736f1973cff1e8443ec9bb;p=openbsd sendmail gecos oflow -- found by mudge, this fix by downsj. I knew about this hole a month ago. OpenBSD is not vulnerable because you cannot set a gecos that long -- bitblt and I fixed chfn & the other tools when we became aware of the hole; we did not fix sendmail to avoid bringing attention to the sendmail hole --- diff --git a/usr.sbin/sendmail/src/envelope.c b/usr.sbin/sendmail/src/envelope.c index 4bf7ac231dd..1cd3b56f76d 100644 --- a/usr.sbin/sendmail/src/envelope.c +++ b/usr.sbin/sendmail/src/envelope.c @@ -777,7 +777,8 @@ setsender(from, e, delimptr, internal) strcmp(pw->pw_name, e->e_from.q_user) == 0 && !internal) { - buildfname(pw->pw_gecos, e->e_from.q_user, buf); + buildfname(pw->pw_gecos, e->e_from.q_user, + buf, sizeof buf); if (buf[0] != '\0') FullName = newstr(buf); } diff --git a/usr.sbin/sendmail/src/recipient.c b/usr.sbin/sendmail/src/recipient.c index 79126e9ccc5..90e3e5a4353 100644 --- a/usr.sbin/sendmail/src/recipient.c +++ b/usr.sbin/sendmail/src/recipient.c @@ -535,7 +535,7 @@ recipient(a, sendq, aliaslevel, e) a->q_gid = pw->pw_gid; a->q_ruser = newstr(pw->pw_name); a->q_flags |= QGOODUID; - buildfname(pw->pw_gecos, pw->pw_name, nbuf); + buildfname(pw->pw_gecos, pw->pw_name, nbuf, sizeof nbuf); if (nbuf[0] != '\0') a->q_fullname = newstr(nbuf); if (!usershellok(pw->pw_name, pw->pw_shell)) @@ -743,7 +743,7 @@ finduser(name, fuzzyp) } # endif - buildfname(pw->pw_gecos, pw->pw_name, buf); + buildfname(pw->pw_gecos, pw->pw_name, buf, sizeof buf); if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name)) { if (tTd(29, 4)) diff --git a/usr.sbin/sendmail/src/util.c b/usr.sbin/sendmail/src/util.c index 096f519d0c3..06104232543 100644 --- a/usr.sbin/sendmail/src/util.c +++ b/usr.sbin/sendmail/src/util.c @@ -383,10 +383,11 @@ makelower(p) */ void -buildfname(gecos, login, buf) +buildfname(gecos, login, buf, bufsiz) register char *gecos; char *login; char *buf; + int bufsiz; { register char *p; register char *bp = buf; @@ -395,22 +396,13 @@ buildfname(gecos, login, buf) if (*gecos == '*') gecos++; - /* find length of final string */ - l = 0; - for (p = gecos; *p != '\0' && *p != ',' && *p != ';' && *p != '%'; p++) - { - if (*p == '&') - l += strlen(login); - else - l++; - } - - /* now fill in buf */ - for (p = gecos; *p != '\0' && *p != ',' && *p != ';' && *p != '%'; p++) + for (p = gecos; *p != '\0' && *p != ',' && *p != ';' && *p != '%' + && ((bp - buf) <= (bufsiz - 1)); p++) { if (*p == '&') { - (void) strcpy(bp, login); + (void) strncpy(bp, login, (bufsiz - (bp - buf) - 1)); + buf[bufsiz - 1] = '\0'; *bp = toupper(*bp); while (*bp != '\0') bp++;