[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cracklib: Fix buffer overflow
|
From: |
Leo Famulari |
|
Subject: |
Re: cracklib: Fix buffer overflow |
|
Date: |
Tue, 20 Sep 2016 13:43:10 -0400 |
|
User-agent: |
Mutt/1.7.0 (2016-08-17) |
On Tue, Sep 20, 2016 at 12:32:02PM +0300, Efraim Flashner wrote:
> > +diff --git a/src/lib/rules.c b/src/lib/rules.c
> > +index d193cc0..3a2aa46 100644
> > +--- a/lib/rules.c
> > ++++ b/lib/rules.c
> > +@@ -434,9 +434,8 @@ Mangle(input, control) /* returns a pointer to
> > a controlled Mangle */
> > + {
> > + int limit;
> > + register char *ptr;
> > +- static char area[STRINGSIZE];
> > +- char area2[STRINGSIZE];
> > +- area[0] = '\0';
> > ++ static char area[STRINGSIZE * 2] = {0};
> > ++ char area2[STRINGSIZE * 2] = {0};
> > + strcpy(area, input);
> > +
> > + for (ptr = control; *ptr; ptr++)
> > --
> > 2.10.0
> >
>
> not having looked at the full source of lib/rules.c, is there a maximum
> value to STRINGSIZE to make sure STRINGSIZE * 2 doesn't wrap around?
STRINGSIZE is defined in 'lib/packer.h' as 1024:
https://github.com/cracklib/cracklib/blob/cracklib-2.9.6/src/lib/packer.h#L11
I just looked at all the uses of STRINGSIZE in order to give a brief
overview of how it's used, but I'm not skilled enough to recognize every
case where it might be dangerous and overflow.
STRINGSIZE is used to declare many char arrays, an array of pointers,
and as an argument to fgets, snprintf, and strncpy. Also the object
macro TRUNCSTRINGSIZE is defined as (STRINGSIZE / 4).
signature.asc
Description: PGP signature