The branch main has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=5854d1cbab1073d78519e7ad9a6eb5726341d587
commit 5854d1cbab1073d78519e7ad9a6eb5726341d587 Author: Dag-Erling Smørgrav <[email protected]> AuthorDate: 2025-10-17 11:54:48 +0000 Commit: Dag-Erling Smørgrav <[email protected]> CommitDate: 2025-10-17 11:54:48 +0000 quot: Fix benign buffer overflow If it encounters an inode whose owner does not have a pw entry, quot allocates a 7-byte buffer (8 in practice, since that is the minimum allocation size) and uses it to store the numeric uid preceded by a hash character. This will overflow the allocated buffer if the UID exceeds 6 decimal digits. Avoid this by using asprintf() instead. While here, simplify the common case as well using strdup(). Reported by: Igor Gabriel Sousa e Souza <[email protected]> MFC after: 3 days Reviewed by: obiwac, emaste Differential Revision: https://reviews.freebsd.org/D53129 --- usr.sbin/quot/quot.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/usr.sbin/quot/quot.c b/usr.sbin/quot/quot.c index 4152c498371a..c11c46a500a1 100644 --- a/usr.sbin/quot/quot.c +++ b/usr.sbin/quot/quot.c @@ -280,14 +280,10 @@ user(uid_t uid) usr--) { if (!usr->name) { usr->uid = uid; - if (!(pwd = getpwuid(uid))) { - if ((usr->name = (char *)malloc(7))) - sprintf(usr->name,"#%d",uid); + asprintf(&usr->name, "#%u", uid); } else { - if ((usr->name = (char *) - malloc(strlen(pwd->pw_name) + 1))) - strcpy(usr->name,pwd->pw_name); + usr->name = strdup(pwd->pw_name); } if (!usr->name) errx(1, "allocate users");
