Finger bug

Tue Jan 11 09:15:30 AEST 1983

Here's a funny bug in finger. It's been around our site for a while,
but it comes and goes and we only just now found the problem.

If the gcos field is empty and the length of the home directory field
is longer than the size of buffer-2, then the code to pick up sub-fields
within matchcmp will overrun the buffer (stepping on part of the call
stack frame). We have added both code to ensure that the empty gcos field
is identified and code to make sure that a long name doesn't overrun the
buffer.

*** finger.Nov13	Fri Nov 13 10:35:48 1981
--- finger.c		Mon Jan 10 13:46:05 1983
***************
--- 65 -----
+ #define		NAMESIZE	20	/* maximum size name field */
***************
*** 1233,1239
      char		*login;
      char		*given;
  {
! 	char		buffer[ 20 ];
  	char		c;
  	int		flag,  i,  unfound;

--- 1235,1241 -----
      char		*login;
      char		*given;
  {
! 	char		buffer[ NAMESIZE ];
  	char		c;
  	int		flag,  i,  unfound;

***************
*** 1254,1260
  		while(  unfound  )  {
  		    if( flag )  {
  			c = *gname++;
! 			if( c == SAMENAME )  {
  			    flag = 0;
  			    c = *login++;
  			}

--- 1256,1265 -----
  		while(  unfound  )  {
  		    if( flag )  {
  			c = *gname++;
! 			if ( c == NULL ){
! 			    break;
! 			}
! 			else if( c == SAMENAME )  {
  			    flag = 0;
  			    c = *login++;
  			}
***************
*** 1283,1289
  			flag = 1;
  		    }
  		    else  {
! 			buffer[ i++ ] = c;
  		    }
  		}
  		buffer[i++] = NULL;

--- 1288,1299 -----
  			flag = 1;
  		    }
  		    else  {
! 			if( i == NAMESIZE - 1 ){
! 			    fprintf(stderr,
! 				"size of name in /etc/passwd is too long");
! 			    break;
! 			}else
! 			    buffer[ i++ ] = c;
  		    }
  		}
  		buffer[i++] = NULL;

Craig VanWagner
Randy Bentson
Colo State U - Comp Sci