Bug 23150

Summary: sscanf is used on a buffer that is not NULL-terminated
Product: Base System Reporter: Dan Nelson (old address) <dnelson>
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 5.0-CURRENT   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Dan Nelson (old address) 2000-11-28 07:20:00 UTC 
In elfcore.c, a buffer is allocated to hold the memory map for the
processess being dumped.  This buffer is created with realloc, the map
is read() into it, then sscanf()'d.  Since -current's malloc defaults
to filling malloced buffers with junk, this guarantees a buffer
overflow.

How-To-Repeat: 
run gcore on -current; see it coredump in sscanf.
Comment 1 Chris D.Faulhaber freebsd_committer freebsd_triage 2000-11-30 16:31:12 UTC 
Responsible Changed
From-To: gnats-admin->freebsd-bugs

Misfiled PR
Comment 2 jlemon freebsd_committer freebsd_triage 2001-06-07 06:26:39 UTC 
State Changed
From-To: open->closed

Fix committed, thanks!