Date: Tue, 15 Sep 1998 03:02:24 +0200 From: Wichert Akkerman <wichert@WIGGY.ML.ORG> Subject: tcsh buffer overflow To: BUGTRAQ@NETSPACE.ORG --yrj/dFKFPuw6o+aM Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable After the whole mess with bash recently I decided to take a short look at tcsh and found it has the same problems. Although tcsh-scripts are very uncommon, it's still exploitable. Below is a patch which should fix the problems. Wichert. --- tcsh-6.07.06.orig/sh.dir.c +++ tcsh-6.07.06/sh.dir.c @@ -78,7 +78,7 @@ char path[MAXPATHLEN]; =20 /* Don't believe the login shell home, because it may be a symlink */ - tcp =3D (char *) getwd(path); + tcp =3D (char *) getcwd(path, MAXPATHLEN); if (tcp =3D=3D NULL || *tcp =3D=3D '\0') { xprintf("%s: %s\n", progname, path); if (hp && *hp) { @@ -549,7 +549,8 @@ } #endif /* apollo */ =20 - (void) strcpy(ebuf, short2str(cp)); + (void) strncpy(ebuf, short2str(cp), MAXPATHLEN); // WTA: make sure we = don't overflow ebuf + ebuf[MAXPATHLEN-1]=3D0; /* * if we are ignoring symlinks, try to fix relatives now. * if we are expading symlinks, it should be done by now. @@ -1061,7 +1062,7 @@ #endif /* apollo */ continue; /* canonicalize the link */ } -#endif /* S_IFLNK */ +#endif /* S_IFLNKXYZ */ if (slash) *p =3D '/'; } @@ -1096,7 +1097,8 @@ /* * Start comparing dev & ino backwards */ - p2 =3D Strcpy(link, cp); + p2 =3D Strncpy(link, cp, MAXPATHLEN); // WTA: remember that length-check! + link[MAXPATHLEN-1]=3D0; found =3D 0; while (*p2 && stat(short2str(p2), &statbuf) !=3D -1) { if (DEV_DEV_COMPARE(statbuf.st_dev, home_dev) && @@ -1119,7 +1121,7 @@ cp =3D newcp; } } -#endif /* S_IFLNK */ +#endif /* S_IFLNKXYZ */ =20 #ifdef apollo if (slashslash) { @@ -1255,7 +1257,9 @@ return (0); } } - (void) Strcpy(s, dp->di_name); + + (void) Strncpy(s, dp->di_name, MAXPATHLEN); // WTA: assume MAXPATHLEN = is okay + s[MAXPATHLEN-1]=3D0; return (1); } =20 --yrj/dFKFPuw6o+aM Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQB1AwUBNf28oKjZR/ntlUftAQFoDgMAgFSP5EMZwglxdpU/SRfTDFL39gXDlA3R PJo/eZg3/YZbZwlFvHYLAGlWbSY3pxN1pZ+TVBSiLFNMqFHwfHReEcFFMKFcQGuF R1KOeE/6F8KPpGHc89g3pcIaPPP9N4B0 =eO9d -----END PGP SIGNATURE----- --yrj/dFKFPuw6o+aM--