Project

General

Profile

Bug #1448

Potential buffer overflows in fscanf()

Added by Matthias Diener 9 months ago. Updated 18 days ago.

Status:
Merged
Priority:
Low
Category:
-
Target version:
Start date:
02/27/2017
Due date:
% Done:

0%


Description

There is a potential buffer overflow in mylogin() when having a long username

    char uname[64];
    sprintf(cmd, "id -u -n");
    p = popen(cmd, "r");
    if (p) {
      fscanf(p, "%s", uname);

If the username is longer than 64 characters, it will overwrite the uname variable. Current systems support usernames of at least 256 characters (test with getconf LOGIN_NAME_MAX).

I can see two ways to fix this:
- Completely remove the #if CMK_HAS_POPEN case.
- Replace with getline()/strdup().

History

#1 Updated by Matthias Diener 7 months ago

  • Target version set to 6.8.1

#2 Updated by Matthias Diener 4 months ago

  • Target version changed from 6.8.1 to 6.8.0
  • Status changed from New to Implemented

#3 Updated by Matthias Diener 4 months ago

  • Subject changed from Potential buffer overflow in mylogin() to Potential buffer overflows in fscanf()

#4 Updated by Phil Miller 4 months ago

  • Target version changed from 6.8.0 to 6.9.0

#5 Updated by Matthias Diener 18 days ago

  • Status changed from Implemented to Merged

Also available in: Atom PDF