Hosting Provided By

user/3147: banner(1) does not perform sanity check on input

From: <alexander(at)beard.se>
Date: Wed Mar 12 2003 - 18:13:41 EST

>Number: 3147
net
>Environment:

	System      : OpenBSD 3.2
	Architecture: OpenBSD.i386
	Machine     : i386

>Description:

	banner(1) does not check whether the characters from the command line
	is within valid bounds. If an unexpected character is used, this results
	in an index that point outside the character set array.

	This fix also includes the fix for the bug described in PR #3146 (bad
	handling of empty input strings)

>How-To-Repeat:

	$ echo -en "NO \003\004\005 NO" | xargs -0 /usr/bin/banner

>Fix:

	Patch follows:

Index: banner.c

RCS file: /cvs/src/usr.bin/banner/banner.c,v retrieving revision 1.5
diff -r1.5 banner.c
142,143c142,146

<               for (nchrs = 0; ; ) {
<                       c = TRC(cc = *sp++);
---

>               for (nchrs = 0; *sp != dlm && *sp != '\0'; ) {


150c153
<                       if (*sp == dlm || *sp == '\0' || nchrs++ >= PW/(WIDTH+1)-1)
---

>                       if (nchrs++ >= PW/(WIDTH+1)-1)

Index: banner.h

RCS file: /cvs/src/usr.bin/banner/banner.h,v retrieving revision 1.2
diff -r1.2 banner.h
24a25
> #define INVALID '_'

>Release-Note:
Received on Wed Mar 12 18:36:46 2003

This message: [ Message body ]
Next message: adrian(at)activesky.com: "kernel/3149: tcpdump causes kernel page fault trap on fxp interface with high traffic"
Previous message: Theo de Raadt: "Re: documentation/3145"
In reply to alexander(at)beard.se: "user/3146: banner(1) handles empty strings ("") badly"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:29:52 EDT