From 92a9bf12543aadfcc46e7ab9c2729b4d4d1f22ee Mon Sep 17 00:00:00 2001 From: Stelian Pop Date: Wed, 1 Mar 2000 10:16:05 +0000 Subject: [PATCH] Buffer overflow in dump, as reported from Bugtraq --- CHANGES | 8 +++++++- THANKS | 3 ++- dump/dump.h | 10 +++------- dump/itime.c | 4 ++-- dump/main.c | 16 ++++++++++------ dump/tape.c | 10 +++++----- restore/dirs.c | 8 ++++---- restore/symtab.c | 4 ++-- restore/tape.c | 20 ++++++++++---------- 9 files changed, 45 insertions(+), 38 deletions(-) diff --git a/CHANGES b/CHANGES index 9fa3c59..e4fdabf 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,4 @@ -$Id: CHANGES,v 1.44 2000/02/26 01:35:48 stelian Exp $ +$Id: CHANGES,v 1.45 2000/03/01 10:16:05 stelian Exp $ Changes between versions 0.4b14 and 0.4b15 (released ?????????????????) ======================================================================= @@ -6,6 +6,12 @@ Changes between versions 0.4b14 and 0.4b15 (released ?????????????????) 1. Added a prompt command in interactive restore mode. Thanks to Andreas Dilger for the patch. +2. Fixed a buffer overflow problem in dump (caused by + not checking the size of the filesystem parameter). + Thanks to Kim Yong-jun for + reporting this on Bugtraq (and to several dump users + who forwarded me his mail). + Changes between versions 0.4b13 and 0.4b14 (released February 10, 2000) ======================================================================= diff --git a/THANKS b/THANKS index 284c05a..de78efe 100644 --- a/THANKS +++ b/THANKS @@ -1,4 +1,4 @@ -$Id: THANKS,v 1.22 2000/02/26 01:35:48 stelian Exp $ +$Id: THANKS,v 1.23 2000/03/01 10:16:05 stelian Exp $ Dump and restore were written by the people of the CSRG at the University of California, Berkeley. @@ -59,3 +59,4 @@ Stephen Tweedie sct@dcs.ed.ac.uk Daniel Veillard Daniel.Veillard@imag.fr Jason Venner jason@idiom.com Christian Weisgerber naddy@mips.rhein-neckar.de +Kim Yong-jun loveyou@hackerslab.org diff --git a/dump/dump.h b/dump/dump.h index 994706c..37b3c8b 100644 --- a/dump/dump.h +++ b/dump/dump.h @@ -4,7 +4,7 @@ * Remy Card , 1994-1997 * Stelian Pop , 1999-2000 * - * $Id: dump.h,v 1.11 2000/02/26 01:35:48 stelian Exp $ + * $Id: dump.h,v 1.12 2000/03/01 10:16:05 stelian Exp $ */ /*- @@ -43,10 +43,6 @@ #define MAXINOPB (MAXBSIZE / sizeof(struct dinode)) #define MAXNINDIR (MAXBSIZE / sizeof(daddr_t)) -#ifndef NAME_MAX -#define NAME_MAX 255 -#endif - /* * Dump maps used to describe what is to be dumped. */ @@ -68,7 +64,7 @@ char *dumpinomap; /* map of files to be dumped */ * All calculations done in 0.1" units! */ char *disk; /* name of the disk file */ -char tape[NAME_MAX]; /* name of the tape file */ +char tape[MAXPATHLEN]; /* name of the tape file */ char *tapeprefix; /* prefix of the tape file */ char *dumpdates; /* name of the file containing dump date information*/ char lastlevel; /* dump level of previous dump */ @@ -196,7 +192,7 @@ struct fstab *fstabsearchdir __P((const char *key, char *dir)); /* search fs_fil * a linked list, and then (eventually) arrayified. */ struct dumpdates { - char dd_name[NAME_MAX+3]; + char dd_name[MAXPATHLEN+3]; char dd_level; time_t dd_ddate; }; diff --git a/dump/itime.c b/dump/itime.c index 09b1f33..64d7644 100644 --- a/dump/itime.c +++ b/dump/itime.c @@ -40,7 +40,7 @@ #ifndef lint static const char rcsid[] = - "$Id: itime.c,v 1.9 2000/01/21 10:17:41 stelian Exp $"; + "$Id: itime.c,v 1.10 2000/03/01 10:16:05 stelian Exp $"; #endif /* not lint */ #include @@ -299,7 +299,7 @@ makedumpdate(struct dumpdates *ddp, char *tbuf) /* device name */ if ( NULL == (tok = strsep( &tbuf, " ")) ) return(-1); - if ( strlen(tok) > NAME_MAX ) + if ( strlen(tok) > MAXPATHLEN ) return(-1); strcpy(ddp->dd_name, tok); diff --git a/dump/main.c b/dump/main.c index bc4de01..553a1e6 100644 --- a/dump/main.c +++ b/dump/main.c @@ -40,7 +40,7 @@ #ifndef lint static const char rcsid[] = - "$Id: main.c,v 1.16 2000/02/26 01:35:48 stelian Exp $"; + "$Id: main.c,v 1.17 2000/03/01 10:16:05 stelian Exp $"; #endif /* not lint */ #include @@ -121,8 +121,8 @@ main(int argc, char *argv[]) ino_t maxino; #ifdef __linux__ errcode_t retval; - char directory[NAME_MAX]; - char pathname[NAME_MAX]; + char directory[MAXPATHLEN]; + char pathname[MAXPATHLEN]; #endif time_t tnow; char labelstr[LBLSIZE]; @@ -283,6 +283,10 @@ main(int argc, char *argv[]) exit(X_STARTUP); } disk = *argv++; + if (strlen(disk) > MAXPATHLEN) { + (void)fprintf(stderr, "Disk or filesystem name too long: %s\n", disk); + exit(X_STARTUP); + } argc--; if (argc >= 1) { (void)fprintf(stderr, "Unknown arguments to dump:"); @@ -418,10 +422,10 @@ main(int argc, char *argv[]) } if (Mflag) - snprintf(tape, NAME_MAX, "%s%03d", tapeprefix, tapeno + 1); + snprintf(tape, MAXPATHLEN, "%s%03d", tapeprefix, tapeno + 1); else - strncpy(tape, tapeprefix, NAME_MAX); - tape[NAME_MAX - 1] = '\0'; + strncpy(tape, tapeprefix, MAXPATHLEN); + tape[MAXPATHLEN - 1] = '\0'; if (!sizest) { diff --git a/dump/tape.c b/dump/tape.c index f413394..5a50ff9 100644 --- a/dump/tape.c +++ b/dump/tape.c @@ -40,7 +40,7 @@ #ifndef lint static const char rcsid[] = - "$Id: tape.c,v 1.13 2000/02/26 01:35:48 stelian Exp $"; + "$Id: tape.c,v 1.14 2000/03/01 10:16:05 stelian Exp $"; #endif /* not lint */ #ifdef __linux__ @@ -715,8 +715,8 @@ restore_check_point: */ tapeno++; /* current tape sequence */ if (Mflag) { - snprintf(tape, NAME_MAX, "%s%03d", tapeprefix, tapeno); - tape[NAME_MAX - 1] = '\0'; + snprintf(tape, MAXPATHLEN, "%s%03d", tapeprefix, tapeno); + tape[MAXPATHLEN - 1] = '\0'; msg("Dumping volume %d on %s\n", tapeno, tape); } else if (nexttape || strchr(tapeprefix, ',')) { @@ -727,8 +727,8 @@ restore_check_point: nexttape = p + 1; } else nexttape = NULL; - strncpy(tape, tapeprefix, NAME_MAX); - tape[NAME_MAX - 1] = '\0'; + strncpy(tape, tapeprefix, MAXPATHLEN); + tape[MAXPATHLEN - 1] = '\0'; msg("Dumping volume %d on %s\n", tapeno, tape); } #ifdef RDUMP diff --git a/restore/dirs.c b/restore/dirs.c index 558b2b6..2d559fe 100644 --- a/restore/dirs.c +++ b/restore/dirs.c @@ -45,7 +45,7 @@ #ifndef lint static const char rcsid[] = - "$Id: dirs.c,v 1.8 2000/02/10 09:42:32 stelian Exp $"; + "$Id: dirs.c,v 1.9 2000/03/01 10:16:05 stelian Exp $"; #endif /* not lint */ #include @@ -396,7 +396,7 @@ putdir(char *buf, size_t size) if ((dp->d_reclen & 0x3) != 0 || dp->d_reclen > i || dp->d_reclen < DIRSIZ(0, dp) || - dp->d_namlen > NAME_MAX) { + dp->d_namlen > MAXNAMLEN) { Vprintf(stdout, "Mangled directory: "); if ((dp->d_reclen & 0x3) != 0) Vprintf(stdout, @@ -405,10 +405,10 @@ putdir(char *buf, size_t size) Vprintf(stdout, "reclen less than DIRSIZ (%d < %d) ", dp->d_reclen, DIRSIZ(0, dp)); - if (dp->d_namlen > NAME_MAX) + if (dp->d_namlen > MAXNAMLEN) Vprintf(stdout, "reclen name too big (%d > %d) ", - dp->d_namlen, NAME_MAX); + dp->d_namlen, MAXNAMLEN); Vprintf(stdout, "\n"); loc += i; continue; diff --git a/restore/symtab.c b/restore/symtab.c index f44b5c6..740165b 100644 --- a/restore/symtab.c +++ b/restore/symtab.c @@ -40,7 +40,7 @@ #ifndef lint static const char rcsid[] = - "$Id: symtab.c,v 1.7 2000/01/21 10:17:41 stelian Exp $"; + "$Id: symtab.c,v 1.8 2000/03/01 10:16:05 stelian Exp $"; #endif /* not lint */ /* @@ -391,7 +391,7 @@ struct strhdr { #define STRTBLINCR (sizeof(struct strhdr)) #define allocsize(size) (((size) + 1 + STRTBLINCR - 1) & ~(STRTBLINCR - 1)) -static struct strhdr strtblhdr[allocsize(NAME_MAX) / STRTBLINCR]; +static struct strhdr strtblhdr[allocsize(MAXNAMLEN) / STRTBLINCR]; /* * Allocate space for a name. It first looks to see if it already diff --git a/restore/tape.c b/restore/tape.c index 416a5c1..0489574 100644 --- a/restore/tape.c +++ b/restore/tape.c @@ -45,7 +45,7 @@ #ifndef lint static const char rcsid[] = - "$Id: tape.c,v 1.11 2000/01/21 10:17:41 stelian Exp $"; + "$Id: tape.c,v 1.12 2000/03/01 10:16:05 stelian Exp $"; #endif /* not lint */ #include @@ -81,8 +81,8 @@ static const char rcsid[] = static long fssize = MAXBSIZE; static int mt = -1; static int pipein = 0; -static char magtape[NAME_MAX]; -static char magtapeprefix[NAME_MAX]; +static char magtape[MAXPATHLEN]; +static char magtapeprefix[MAXPATHLEN]; static int blkcnt; static int numtrec; static char *tapebuf; @@ -165,13 +165,13 @@ setinput(char *source) } setuid(getuid()); /* no longer need or want root privileges */ if (Mflag) { - strncpy(magtapeprefix, source, NAME_MAX); - magtapeprefix[NAME_MAX-1] = '\0'; - snprintf(magtape, NAME_MAX, "%s%03d", source, 1); + strncpy(magtapeprefix, source, MAXPATHLEN); + magtapeprefix[MAXPATHLEN-1] = '\0'; + snprintf(magtape, MAXPATHLEN, "%s%03d", source, 1); } else - strncpy(magtape, source, NAME_MAX); - magtape[NAME_MAX - 1] = '\0'; + strncpy(magtape, source, MAXPATHLEN); + magtape[MAXPATHLEN - 1] = '\0'; } void @@ -361,8 +361,8 @@ again: } closemt(); if (Mflag) { - snprintf(magtape, NAME_MAX, "%s%03ld", magtapeprefix, newvol); - magtape[NAME_MAX - 1] = '\0'; + snprintf(magtape, MAXPATHLEN, "%s%03ld", magtapeprefix, newvol); + magtape[MAXPATHLEN - 1] = '\0'; } if (!Mflag || haderror) { haderror = 0; -- 2.39.5