summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authorTheo de Raadt <deraadt@cvs.openbsd.org>1996-09-12 19:25:45 +0000
committerTheo de Raadt <deraadt@cvs.openbsd.org>1996-09-12 19:25:45 +0000
commit69e41d5ed0d70c310fff472a85943674925d3a86 (patch)
treeba5704c1e2dd332e6dd8cc4defc2f3bdc6994ded /usr.sbin
parent902a61bb7066d5e3ac9d1ca4be28fc924c9fc5db (diff)
sendmail gecos oflow -- found by mudge, this fix by downsj. I knew about this
hole a month ago. OpenBSD is not vulnerable because you cannot set a gecos that long -- bitblt and I fixed chfn & the other tools when we became aware of the hole; we did not fix sendmail to avoid bringing attention to the sendmail hole
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/sendmail/src/envelope.c3
-rw-r--r--usr.sbin/sendmail/src/recipient.c4
-rw-r--r--usr.sbin/sendmail/src/util.c20
3 files changed, 10 insertions, 17 deletions
diff --git a/usr.sbin/sendmail/src/envelope.c b/usr.sbin/sendmail/src/envelope.c
index 4bf7ac231dd..1cd3b56f76d 100644
--- a/usr.sbin/sendmail/src/envelope.c
+++ b/usr.sbin/sendmail/src/envelope.c
@@ -777,7 +777,8 @@ setsender(from, e, delimptr, internal)
strcmp(pw->pw_name, e->e_from.q_user) == 0 &&
!internal)
{
- buildfname(pw->pw_gecos, e->e_from.q_user, buf);
+ buildfname(pw->pw_gecos, e->e_from.q_user,
+ buf, sizeof buf);
if (buf[0] != '\0')
FullName = newstr(buf);
}
diff --git a/usr.sbin/sendmail/src/recipient.c b/usr.sbin/sendmail/src/recipient.c
index 79126e9ccc5..90e3e5a4353 100644
--- a/usr.sbin/sendmail/src/recipient.c
+++ b/usr.sbin/sendmail/src/recipient.c
@@ -535,7 +535,7 @@ recipient(a, sendq, aliaslevel, e)
a->q_gid = pw->pw_gid;
a->q_ruser = newstr(pw->pw_name);
a->q_flags |= QGOODUID;
- buildfname(pw->pw_gecos, pw->pw_name, nbuf);
+ buildfname(pw->pw_gecos, pw->pw_name, nbuf, sizeof nbuf);
if (nbuf[0] != '\0')
a->q_fullname = newstr(nbuf);
if (!usershellok(pw->pw_name, pw->pw_shell))
@@ -743,7 +743,7 @@ finduser(name, fuzzyp)
}
# endif
- buildfname(pw->pw_gecos, pw->pw_name, buf);
+ buildfname(pw->pw_gecos, pw->pw_name, buf, sizeof buf);
if (strchr(buf, ' ') != NULL && !strcasecmp(buf, name))
{
if (tTd(29, 4))
diff --git a/usr.sbin/sendmail/src/util.c b/usr.sbin/sendmail/src/util.c
index 096f519d0c3..06104232543 100644
--- a/usr.sbin/sendmail/src/util.c
+++ b/usr.sbin/sendmail/src/util.c
@@ -383,10 +383,11 @@ makelower(p)
*/
void
-buildfname(gecos, login, buf)
+buildfname(gecos, login, buf, bufsiz)
register char *gecos;
char *login;
char *buf;
+ int bufsiz;
{
register char *p;
register char *bp = buf;
@@ -395,22 +396,13 @@ buildfname(gecos, login, buf)
if (*gecos == '*')
gecos++;
- /* find length of final string */
- l = 0;
- for (p = gecos; *p != '\0' && *p != ',' && *p != ';' && *p != '%'; p++)
- {
- if (*p == '&')
- l += strlen(login);
- else
- l++;
- }
-
- /* now fill in buf */
- for (p = gecos; *p != '\0' && *p != ',' && *p != ';' && *p != '%'; p++)
+ for (p = gecos; *p != '\0' && *p != ',' && *p != ';' && *p != '%'
+ && ((bp - buf) <= (bufsiz - 1)); p++)
{
if (*p == '&')
{
- (void) strcpy(bp, login);
+ (void) strncpy(bp, login, (bufsiz - (bp - buf) - 1));
+ buf[bufsiz - 1] = '\0';
*bp = toupper(*bp);
while (*bp != '\0')
bp++;