OpenSolaris

Printable Version Enter a New Search
Bug ID 6725298
Synopsis Possible buffer overflow in profile mode (pfexec)
State 10-Fix Delivered (Fix available in build)
Category:Subcategory rbac:utilities
Keywords opensolaris | oss-sponsor
Sponsor John Zolnowsky
Submitter schilling
Responsible Engineer John Zolnowsky
Reported Against snv_91
Duplicate Of
Introduced In solaris_8
Commit to Fix snv_108
Fixed In snv_108
Release Fixed solaris_nevada(snv_108)
Related Bugs
Submit Date 13-July-2008
Last Update Date 11-February-2009
Description 
Category
   shell
Sub-Category
   bourne
Description
   All shells that rely on usr/src/cmd/sh/sh_policy.c suffer from a possible
buffer overflow as a result of a wrong algorithm used to compute the size
of the new arg vector.
A buffer overflow occurs whenever the number of arguments is big enough
and the strlen() of the args is lower than sizeof (char *).
Frequency
   Always
Regression
   No
Steps to Reproduce
   See Description
Expected Result
   Unimportant
Actual Result
   Unimportant
Error Message(s)
   Unimportant
Test Case
   None
Workaround
   Apply the following patch:
------- sh_policy.c -------
--- /tmp/sccs._6aiPs    Mo Jul 14 00:59:04 2008
+++ sh_policy.c Mo Jul 14 00:11:49 2008
@@ -106,11 +106,11 @@
                return (pfarg_v);
        }
        for (i = 0; arg_v[i] != 0; i++) {
-               arglen += strlen(arg_v[i]);
+               arglen++;
        }
-       arglen += strlen(PFEXEC);
+       arglen++;       /* for PFEXEC */
        arglen++;       /* for null termination */
-       if ((pfarg_v = (char **)calloc(1, arglen)) == NULL) {
+       if ((pfarg_v = (char **)calloc(arglen, sizeof (char *))) == NULL) {
                return (pfarg_v);
        }
        pfarg_v[0] = (char *)PFEXEC;
Submitter wants to work on bug
   Yes
Additional configuration information
   Generic and unimportant
opensolaris posting for this:

http://www.opensolaris.org/jive/thread.jspa?threadID=66397&tstart=0
Work Around 
N/A
Comments 
N/A