Bug 16415

Summary: Buffer overflow in procctl(8)
Product: Base System Reporter: toasty <toasty>
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 3.4-STABLE   
Hardware: Any   
OS: Any   

Description toasty 2000-01-28 06:10:01 UTC 
Procctl has a simple buffer overflow. It's not suid, so I wouldn't consider
this a security problem.

Fix: 

-    sprintf(buf, "/proc/%s/mem", av[i]);
+    snprintf(buf, sizeof(buf), "/proc/%s/mem", av[i]);
     fd = open(buf, O_RDWR);
     if (fd == -1) {
       if (errno == ENOENT)--lBBFAAlYcR5zgOBAthqn6MYljcHrLWtvhxgP9ZqQcwC1ZAHC
Content-Type: text/plain; name="file.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="file.diff"

--- procctl.c   Thu Jan 27 23:55:57 2000
+++ procctl.c   Thu Jan 27 23:56:57 2000
@@ -63,7 +63,7 @@
   for (i = 1; i < ac; i++) {
     char buf[32];
How-To-Repeat: 
su-2.03# procctl 22348723894723984728974892748923894729834728934798273489273498274
Segmentation fault (core dumped)
Comment 1 ru freebsd_committer freebsd_triage 2000-02-21 11:07:34 UTC 
State Changed
From-To: open->closed

Patch applied, thanks!