Finger bug
utzoo!decvax!harpo!seismo!hao!csu-cs!bentson
utzoo!decvax!harpo!seismo!hao!csu-cs!bentson
Tue Jan 11 09:15:30 AEST 1983
Here's a funny bug in finger. It's been around our site for a while,
but it comes and goes and we only just now found the problem.
If the gcos field is empty and the length of the home directory field
is longer than the size of buffer-2, then the code to pick up sub-fields
within matchcmp will overrun the buffer (stepping on part of the call
stack frame). We have added both code to ensure that the empty gcos field
is identified and code to make sure that a long name doesn't overrun the
buffer.
*** finger.Nov13 Fri Nov 13 10:35:48 1981
--- finger.c Mon Jan 10 13:46:05 1983
***************
--- 65 -----
+ #define NAMESIZE 20 /* maximum size name field */
***************
*** 1233,1239
char *login;
char *given;
{
! char buffer[ 20 ];
char c;
int flag, i, unfound;
--- 1235,1241 -----
char *login;
char *given;
{
! char buffer[ NAMESIZE ];
char c;
int flag, i, unfound;
***************
*** 1254,1260
while( unfound ) {
if( flag ) {
c = *gname++;
! if( c == SAMENAME ) {
flag = 0;
c = *login++;
}
--- 1256,1265 -----
while( unfound ) {
if( flag ) {
c = *gname++;
! if ( c == NULL ){
! break;
! }
! else if( c == SAMENAME ) {
flag = 0;
c = *login++;
}
***************
*** 1283,1289
flag = 1;
}
else {
! buffer[ i++ ] = c;
}
}
buffer[i++] = NULL;
--- 1288,1299 -----
flag = 1;
}
else {
! if( i == NAMESIZE - 1 ){
! fprintf(stderr,
! "size of name in /etc/passwd is too long");
! break;
! }else
! buffer[ i++ ] = c;
}
}
buffer[i++] = NULL;
Craig VanWagner
Randy Bentson
Colo State U - Comp Sci
More information about the Net.bugs
mailing list