[cdesktopenv-devel] [PATCH] Fix buffer overflow due to sizeof has been used in the place of strlen

Douglas Mencken Wed, 08 Aug 2012 12:09:27 -0700

sizeof(char*) has been used in an attempt to get string's length.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5912dfa in _IO_vfprintf_internal (s=0x7fffffffdf60,
    format=<value optimized out>, ap=0x7fffffffe080) at vfprintf.c:1614
1614    vfprintf.c: No such file or directory.
        in vfprintf.c
(gdb) bt
#0  0x00007ffff5912dfa in _IO_vfprintf_internal (s=0x7fffffffdf60,
    format=<value optimized out>, ap=0x7fffffffe080) at vfprintf.c:1614
#1  0x00007ffff5932979 in __IO_vsprintf (string=0x7076c0 "/tmp/dtdbcache_",
    format=0x7ffff74a67e3 "%s/%s%s", args=0x7fffffffe080) at iovsprintf.c:43
#2  0x00007ffff5919a78 in __sprintf (
    s=0xffffe165 <Address 0xffffe165 out of bounds>,
    format=0x7ffff74a67e8 "%s") at sprintf.c:34
#3  0x00007ffff7484e6e in _DtDtsMMCacheName (override=<value optimized out>)
    at DtsMM.c:574
#4  0x00007ffff748512a in _DtDtsMMInit (override=0) at DtsMM.c:319
...


This fixes it:

diff --git a/cde/lib/DtSvc/DtUtil1/DtsMM.c b/cde/lib/DtSvc/DtUtil1/DtsMM.c
index dd82d6f..c7e7a63 100644
--- a/cde/lib/DtSvc/DtUtil1/DtsMM.c
+++ b/cde/lib/DtSvc/DtUtil1/DtsMM.c
@@ -566,12 +566,11 @@ _DtDtsMMCacheName(int override)
        /* are on different file systems.  Use tmpnam(3) to create the */
        /* unique file name instead. */
                char tmpnam_buf[L_tmpnam + 1];
+               size_t buflen = strlen(_DTDTSMMTEMPDIR) + 
strlen(_DTDTSMMTEMPFILE)
+ L_tmpnam + 3;

-               results = (char *)malloc(sizeof(_DTDTSMMTEMPDIR) +
-                                        sizeof(_DTDTSMMTEMPFILE) +
-                                        L_tmpnam + 3);
+               results = (char *)malloc(buflen);
                tmpnam(tmpnam_buf);
-               sprintf(results, "%s/%s%s", _DTDTSMMTEMPDIR, _DTDTSMMTEMPFILE,
+               snprintf(results, buflen, "%s/%s%s", _DTDTSMMTEMPDIR, 
_DTDTSMMTEMPFILE,
                        basename(tmpnam_buf));
        }
        return(results);

cde-buffer_overflow-sizeof_instead_of_strlen.patch
Description: Binary data

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
cdesktopenv-devel mailing list
cdesktopenv-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cdesktopenv-devel

[cdesktopenv-devel] [PATCH] Fix buffer overflow due to sizeof has been used in the place of strlen

Reply via email to