From 835c943d1e3d17ed2f7dd596426cf902999cf7e9 Mon Sep 17 00:00:00 2001 From: Theo de Raadt Date: Fri, 30 Aug 1996 11:39:37 +0000 Subject: buf oflow; found by das33@cornell.edu and us crazy calgary night owls --- usr.bin/finger/finger.c | 10 ++++++++-- usr.bin/finger/util.c | 30 ++++++++++++++++++++++-------- 2 files changed, 30 insertions(+), 10 deletions(-) (limited to 'usr.bin') diff --git a/usr.bin/finger/finger.c b/usr.bin/finger/finger.c index e18dca2e4ab..c2993d08d40 100644 --- a/usr.bin/finger/finger.c +++ b/usr.bin/finger/finger.c @@ -1,4 +1,4 @@ -/* $OpenBSD: finger.c,v 1.2 1996/06/26 05:33:16 deraadt Exp $ */ +/* $OpenBSD: finger.c,v 1.3 1996/08/30 11:39:36 deraadt Exp $ */ /* * Copyright (c) 1989 The Regents of the University of California. @@ -48,7 +48,7 @@ char copyright[] = #ifndef lint /*static char sccsid[] = "from: @(#)finger.c 5.22 (Berkeley) 6/29/90";*/ -static char rcsid[] = "$OpenBSD: finger.c,v 1.2 1996/06/26 05:33:16 deraadt Exp $"; +static char rcsid[] = "$OpenBSD: finger.c,v 1.3 1996/08/30 11:39:36 deraadt Exp $"; #endif /* not lint */ /* @@ -74,6 +74,10 @@ time_t now; int lflag, sflag, mflag, pplan; char tbuf[1024]; +int loginlist __P((void)); +void userlist __P((int, char **)); + +int main(argc, argv) int argc; char **argv; @@ -137,6 +141,7 @@ main(argc, argv) exit(0); } +int loginlist() { register PERSON *pn; @@ -164,6 +169,7 @@ loginlist() enter_lastlog(pn); } +void userlist(argc, argv) register argc; register char **argv; diff --git a/usr.bin/finger/util.c b/usr.bin/finger/util.c index ce0138ecc74..5eea1a3368e 100644 --- a/usr.bin/finger/util.c +++ b/usr.bin/finger/util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: util.c,v 1.3 1996/08/07 17:49:49 downsj Exp $ */ +/* $OpenBSD: util.c,v 1.4 1996/08/30 11:39:36 deraadt Exp $ */ /* * Copyright (c) 1989 The Regents of the University of California. @@ -38,7 +38,7 @@ #ifndef lint /*static char sccsid[] = "from: @(#)util.c 5.14 (Berkeley) 1/17/91";*/ -static char rcsid[] = "$OpenBSD: util.c,v 1.3 1996/08/07 17:49:49 downsj Exp $"; +static char rcsid[] = "$OpenBSD: util.c,v 1.4 1996/08/30 11:39:36 deraadt Exp $"; #endif /* not lint */ #include @@ -81,7 +81,8 @@ userinfo(pn, pw) register char *p, *t; struct stat sb; extern int errno; - char *bp, name[1024]; + char *mbp, *bp, *name; + int len; pn->realname = pn->office = pn->officephone = pn->homephone = NULL; @@ -91,22 +92,31 @@ userinfo(pn, pw) pn->shell = strdup(pw->pw_shell); /* why do we skip asterisks!?!? */ - (void)strcpy(bp = tbuf, pw->pw_gecos); + mbp = bp = (char *)malloc(strlen(pw->pw_gecos)+1); + strcpy(bp, pw->pw_gecos); if (*bp == '*') ++bp; /* ampersands get replaced by the login name */ - if (!(p = strsep(&bp, ","))) + if (!(p = strsep(&bp, ","))) { + free(mbp); return; - for (t = name; *t = *p; ++p) + } + for (len = 0, t = p; *p; ++p) { + len++; + if (*p == '&') + len += strlen(pw->pw_name); + } + name = (char *)malloc(len + 1); + for (p = t, t = name; *t = *p; ++p) if (*t == '&') { (void)strcpy(t, pw->pw_name); if (islower(*t)) *t = toupper(*t); while (*++t); - } - else + } else ++t; + *t = '\0'; pn->realname = strdup(name); pn->office = ((p = strsep(&bp, ",")) && *p) ? strdup(p) : NULL; @@ -120,12 +130,16 @@ userinfo(pn, pw) if (errno != ENOENT) { (void)fprintf(stderr, "finger: %s: %s\n", tbuf, strerror(errno)); + free(name); + free(mbp); return; } } else if (sb.st_size != 0) { pn->mailrecv = sb.st_mtime; pn->mailread = sb.st_atime; } + free(name); + free(mbp); } match(pw, user) -- cgit v1.2.3