![[LWN Logo]](/images/lwn.banner.gif)
Date: Tue, 15 Sep 1998 03:02:24 +0200
From: Wichert Akkerman <wichert@WIGGY.ML.ORG>
Subject: tcsh buffer overflow
To: BUGTRAQ@NETSPACE.ORG
--yrj/dFKFPuw6o+aM
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
After the whole mess with bash recently I decided to take a short look
at tcsh and found it has the same problems. Although tcsh-scripts
are very uncommon, it's still exploitable. Below is a patch which
should fix the problems.
Wichert.
--- tcsh-6.07.06.orig/sh.dir.c
+++ tcsh-6.07.06/sh.dir.c
@@ -78,7 +78,7 @@
char path[MAXPATHLEN];
=20
/* Don't believe the login shell home, because it may be a symlink */
- tcp =3D (char *) getwd(path);
+ tcp =3D (char *) getcwd(path, MAXPATHLEN);
if (tcp =3D=3D NULL || *tcp =3D=3D '\0') {
xprintf("%s: %s\n", progname, path);
if (hp && *hp) {
@@ -549,7 +549,8 @@
}
#endif /* apollo */
=20
- (void) strcpy(ebuf, short2str(cp));
+ (void) strncpy(ebuf, short2str(cp), MAXPATHLEN); // WTA: make sure we =
don't overflow ebuf
+ ebuf[MAXPATHLEN-1]=3D0;
/*
* if we are ignoring symlinks, try to fix relatives now.
* if we are expading symlinks, it should be done by now.
@@ -1061,7 +1062,7 @@
#endif /* apollo */
continue; /* canonicalize the link */
}
-#endif /* S_IFLNK */
+#endif /* S_IFLNKXYZ */
if (slash)
*p =3D '/';
}
@@ -1096,7 +1097,8 @@
/*
* Start comparing dev & ino backwards
*/
- p2 =3D Strcpy(link, cp);
+ p2 =3D Strncpy(link, cp, MAXPATHLEN); // WTA: remember that length-check!
+ link[MAXPATHLEN-1]=3D0;
found =3D 0;
while (*p2 && stat(short2str(p2), &statbuf) !=3D -1) {
if (DEV_DEV_COMPARE(statbuf.st_dev, home_dev) &&
@@ -1119,7 +1121,7 @@
cp =3D newcp;
}
}
-#endif /* S_IFLNK */
+#endif /* S_IFLNKXYZ */
=20
#ifdef apollo
if (slashslash) {
@@ -1255,7 +1257,9 @@
return (0);
}
}
- (void) Strcpy(s, dp->di_name);
+
+ (void) Strncpy(s, dp->di_name, MAXPATHLEN); // WTA: assume MAXPATHLEN =
is okay
+ s[MAXPATHLEN-1]=3D0;
return (1);
}
=20
--yrj/dFKFPuw6o+aM
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
iQB1AwUBNf28oKjZR/ntlUftAQFoDgMAgFSP5EMZwglxdpU/SRfTDFL39gXDlA3R
PJo/eZg3/YZbZwlFvHYLAGlWbSY3pxN1pZ+TVBSiLFNMqFHwfHReEcFFMKFcQGuF
R1KOeE/6F8KPpGHc89g3pcIaPPP9N4B0
=eO9d
-----END PGP SIGNATURE-----
--yrj/dFKFPuw6o+aM--