Bug 16954

Summary: [PATCH] catopen(3) in libc can overflow on $NLSPATH
Product: Base System Reporter: spock <spock>
Component: miscAssignee: Kris Kennaway <kris>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description spock 2000-02-24 06:40:01 UTC 
The function catopen(3) in libc can overflow if $NLSPATH is too long.
This can be noticed by running /usr/bin/ee.

Fix: Apply patch and recompile libc



if (!name || !*name) {
        errno = EINVAL;
@@ -127,20 +128,22 @@
        for (nlspath = cptr; *cptr; ++cptr) {
            if (*cptr == ':') {
                *cptr = '\0';
-               for (pathP = path; *nlspath; ++nlspath) {
+               for (j=0; *nlspath; ++nlspath) {
                    if (*nlspath == '%') {
                        if (*(nlspath + 1) == 'L') {
                            ++nlspath;
-                           strcpy(pathP, lang);
-                           pathP += strlen(lang);
+                           strncpy(path+j, lang, sizeof(path)-j-1);
+                           j += strlen(path+j);
                        } else if (*(nlspath + 1) == 'N') {
                            ++nlspath;
-                           strcpy(pathP, name);
-                           pathP += strlen(name);
-                       } else *(pathP++) = *nlspath;
-                   } else *(pathP++) = *nlspath;
+                           strncpy(path+j, name, sizeof(path)-j-1);
+                           j += strlen(path+j);
+                       } else if(sizeof(path)-j-1)
+                          path[j++] = *nlspath;
+                   } else if(sizeof(path)-j-1)
+                      path[j++] = *nlspath;
                }
-               *pathP = '\0';
+               path[j] = '\0';
                if (stat(path, &sbuf) == 0) {
                    catpath = path;
                    break;--28tqSuIKF68ZTVVzkzJ4cujH74PLkxUnv3WRt9nsyx5ZK7CK
Content-Type: text/plain; name="file.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="file.diff"

Index: lib/libc/nls/msgcat.c
===================================================================
RCS file: /home/ncvs/src/lib/libc/nls/msgcat.c,v
retrieving revision 1.21
diff -u -r1.21 msgcat.c
--- msgcat.c    2000/01/27 23:06:33     1.21
+++ msgcat.c    2000/02/02 19:38:09
@@ -92,8 +92,9 @@
     char        *nlspath;
     char       *lang;
     long       len;
-    char       *base, *cptr, *pathP;
+    char       *base, *cptr;
     struct stat        sbuf;
+    int         j;
How-To-Repeat: $ NLSPATH=[5120] ee
Comment 1 Kris Kennaway freebsd_committer freebsd_triage 2000-08-04 23:23:44 UTC 
Responsible Changed
From-To: freebsd-bugs->kris

I'll look at this since I already developed my own patch.
Comment 2 Kris Kennaway freebsd_committer freebsd_triage 2000-10-07 03:59:00 UTC 
State Changed
From-To: open->closed

Problem resolved - thanks.