Buffer overflow in dump, as reported from Bugtraq

diff --git a/CHANGES b/CHANGES
index 9fa3c596cd44f55d96adb44fdd7687c224cc90b7..e4fdabfadceb66517f302a7db3499dbd9136a4e5 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,4 @@
-$Id: CHANGES,v 1.44 2000/02/26 01:35:48 stelian Exp $
+$Id: CHANGES,v 1.45 2000/03/01 10:16:05 stelian Exp $

 
 Changes between versions 0.4b14 and 0.4b15 (released ?????????????????)
 =======================================================================
 
 Changes between versions 0.4b14 and 0.4b15 (released ?????????????????)
 =======================================================================


@@ -6,6 +6,12 @@ Changes between versions 0.4b14 and 0.4b15 (released ?????????????????)
 1.     Added a prompt command in interactive restore mode. Thanks
        to Andreas Dilger <adilger@home.com> for the patch.
 
 1.     Added a prompt command in interactive restore mode. Thanks
        to Andreas Dilger <adilger@home.com> for the patch.
 

+2.     Fixed a buffer overflow problem in dump (caused by 
+       not checking the size of the filesystem parameter). 
+       Thanks to Kim Yong-jun <loveyou@hackerslab.org> for
+       reporting this on Bugtraq (and to several dump users
+       who forwarded me his mail).
+

 Changes between versions 0.4b13 and 0.4b14 (released February 10, 2000)
 =======================================================================
 
 Changes between versions 0.4b13 and 0.4b14 (released February 10, 2000)
 =======================================================================
 

diff --git a/THANKS b/THANKS
index 284c05a6e497b7c8099cc2bf85e2fc874aab2cd6..de78efeb26952dc3c29fe6fce6e96b5e69b0f2c7 100644 (file)
--- a/THANKS
+++ b/THANKS
@@ -1,4 +1,4 @@
-$Id: THANKS,v 1.22 2000/02/26 01:35:48 stelian Exp $
+$Id: THANKS,v 1.23 2000/03/01 10:16:05 stelian Exp $

 
 Dump and restore were written by the people of the CSRG at the University
 of California, Berkeley.
 
 Dump and restore were written by the people of the CSRG at the University
 of California, Berkeley.


@@ -59,3 +59,4 @@ Stephen Tweedie               sct@dcs.ed.ac.uk
 Daniel Veillard                Daniel.Veillard@imag.fr
 Jason Venner           jason@idiom.com
 Christian Weisgerber   naddy@mips.rhein-neckar.de
 Daniel Veillard                Daniel.Veillard@imag.fr
 Jason Venner           jason@idiom.com
 Christian Weisgerber   naddy@mips.rhein-neckar.de

+Kim Yong-jun           loveyou@hackerslab.org

diff --git a/dump/dump.h b/dump/dump.h
index 994706cf8fcfaf8324fe806283c11c6c53a10e0a..37b3c8bcc186d343ec40a4e25513134e5197a59c 100644 (file)
--- a/dump/dump.h
+++ b/dump/dump.h
@@ -4,7 +4,7 @@
  *     Remy Card <card@Linux.EU.Org>, 1994-1997
  *     Stelian Pop <pop@cybercable.fr>, 1999-2000
  *
  *     Remy Card <card@Linux.EU.Org>, 1994-1997
  *     Stelian Pop <pop@cybercable.fr>, 1999-2000
  *

- *     $Id: dump.h,v 1.11 2000/02/26 01:35:48 stelian Exp $
+ *     $Id: dump.h,v 1.12 2000/03/01 10:16:05 stelian Exp $

  */
 
 /*-
  */
 
 /*-


@@ -43,10 +43,6 @@
 #define MAXINOPB       (MAXBSIZE / sizeof(struct dinode))
 #define MAXNINDIR      (MAXBSIZE / sizeof(daddr_t))
 
 #define MAXINOPB       (MAXBSIZE / sizeof(struct dinode))
 #define MAXNINDIR      (MAXBSIZE / sizeof(daddr_t))
 

-#ifndef NAME_MAX
-#define NAME_MAX 255
-#endif
-

 /*
  * Dump maps used to describe what is to be dumped.
  */
 /*
  * Dump maps used to describe what is to be dumped.
  */


@@ -68,7 +64,7 @@ char  *dumpinomap;    /* map of files to be dumped */
  *     All calculations done in 0.1" units!
  */
 char   *disk;          /* name of the disk file */
  *     All calculations done in 0.1" units!
  */
 char   *disk;          /* name of the disk file */

-char   tape[NAME_MAX]; /* name of the tape file */
+char   tape[MAXPATHLEN];       /* name of the tape file */

 char   *tapeprefix;    /* prefix of the tape file */
 char   *dumpdates;     /* name of the file containing dump date information*/
 char   lastlevel;      /* dump level of previous dump */
 char   *tapeprefix;    /* prefix of the tape file */
 char   *dumpdates;     /* name of the file containing dump date information*/
 char   lastlevel;      /* dump level of previous dump */


@@ -196,7 +192,7 @@ struct      fstab *fstabsearchdir __P((const char *key, char *dir));        /* search fs_fil
  *     a linked list, and then (eventually) arrayified.
  */
 struct dumpdates {
  *     a linked list, and then (eventually) arrayified.
  */
 struct dumpdates {

-       char    dd_name[NAME_MAX+3];
+       char    dd_name[MAXPATHLEN+3];

        char    dd_level;
        time_t  dd_ddate;
 };
        char    dd_level;
        time_t  dd_ddate;
 };

diff --git a/dump/itime.c b/dump/itime.c
index 09b1f3365a4c858a174fa33492899fd4fa375954..64d7644c6f8123f4e6ec31e1fb17602b030b015c 100644 (file)
--- a/dump/itime.c
+++ b/dump/itime.c
@@ -40,7 +40,7 @@
 
 #ifndef lint
 static const char rcsid[] =
 
 #ifndef lint
 static const char rcsid[] =

-       "$Id: itime.c,v 1.9 2000/01/21 10:17:41 stelian Exp $";
+       "$Id: itime.c,v 1.10 2000/03/01 10:16:05 stelian Exp $";

 #endif /* not lint */
 
 #include <sys/param.h>
 #endif /* not lint */
 
 #include <sys/param.h>


@@ -299,7 +299,7 @@ makedumpdate(struct dumpdates *ddp, char *tbuf)
        /* device name */
        if ( NULL == (tok = strsep( &tbuf, " ")) )
                return(-1);
        /* device name */
        if ( NULL == (tok = strsep( &tbuf, " ")) )
                return(-1);

-       if ( strlen(tok) >  NAME_MAX )
+       if ( strlen(tok) >  MAXPATHLEN )

                return(-1);
        strcpy(ddp->dd_name, tok);
 
                return(-1);
        strcpy(ddp->dd_name, tok);
 

diff --git a/dump/main.c b/dump/main.c
index bc4de017f7b1fa0b526d9798ba9018129428e4f2..553a1e66831f781e0ff628387af11ae68c6c47a0 100644 (file)
--- a/dump/main.c
+++ b/dump/main.c
@@ -40,7 +40,7 @@
 
 #ifndef lint
 static const char rcsid[] =
 
 #ifndef lint
 static const char rcsid[] =

-       "$Id: main.c,v 1.16 2000/02/26 01:35:48 stelian Exp $";
+       "$Id: main.c,v 1.17 2000/03/01 10:16:05 stelian Exp $";

 #endif /* not lint */
 
 #include <sys/param.h>
 #endif /* not lint */
 
 #include <sys/param.h>


@@ -121,8 +121,8 @@ main(int argc, char *argv[])
        ino_t maxino;
 #ifdef __linux__
        errcode_t retval;
        ino_t maxino;
 #ifdef __linux__
        errcode_t retval;

-       char directory[NAME_MAX];
-       char pathname[NAME_MAX];
+       char directory[MAXPATHLEN];
+       char pathname[MAXPATHLEN];

 #endif
        time_t tnow;
        char labelstr[LBLSIZE];
 #endif
        time_t tnow;
        char labelstr[LBLSIZE];


@@ -283,6 +283,10 @@ main(int argc, char *argv[])
                exit(X_STARTUP);
        }
        disk = *argv++;
                exit(X_STARTUP);
        }
        disk = *argv++;

+       if (strlen(disk) > MAXPATHLEN) {
+               (void)fprintf(stderr, "Disk or filesystem name too long: %s\n", disk);
+               exit(X_STARTUP);
+       }

        argc--;
        if (argc >= 1) {
                (void)fprintf(stderr, "Unknown arguments to dump:");
        argc--;
        if (argc >= 1) {
                (void)fprintf(stderr, "Unknown arguments to dump:");


@@ -418,10 +422,10 @@ main(int argc, char *argv[])
        }
 
        if (Mflag)
        }
 
        if (Mflag)

-               snprintf(tape, NAME_MAX, "%s%03d", tapeprefix, tapeno + 1);
+               snprintf(tape, MAXPATHLEN, "%s%03d", tapeprefix, tapeno + 1);

        else
        else

-               strncpy(tape, tapeprefix, NAME_MAX);
-       tape[NAME_MAX - 1] = '\0';
+               strncpy(tape, tapeprefix, MAXPATHLEN);
+       tape[MAXPATHLEN - 1] = '\0';

 
        if (!sizest) {
 
 
        if (!sizest) {
 

diff --git a/dump/tape.c b/dump/tape.c
index f4133942dd332a771d667c211c7c6c6a46bdea54..5a50ff95aaf66e814efad447026639090b8814e9 100644 (file)
--- a/dump/tape.c
+++ b/dump/tape.c
@@ -40,7 +40,7 @@
 
 #ifndef lint
 static const char rcsid[] =
 
 #ifndef lint
 static const char rcsid[] =

-       "$Id: tape.c,v 1.13 2000/02/26 01:35:48 stelian Exp $";
+       "$Id: tape.c,v 1.14 2000/03/01 10:16:05 stelian Exp $";

 #endif /* not lint */
 
 #ifdef __linux__
 #endif /* not lint */
 
 #ifdef __linux__


@@ -715,8 +715,8 @@ restore_check_point:
                 */
                tapeno++;               /* current tape sequence */
                if (Mflag) {
                 */
                tapeno++;               /* current tape sequence */
                if (Mflag) {

-                       snprintf(tape, NAME_MAX, "%s%03d", tapeprefix, tapeno);
-                       tape[NAME_MAX - 1] = '\0';
+                       snprintf(tape, MAXPATHLEN, "%s%03d", tapeprefix, tapeno);
+                       tape[MAXPATHLEN - 1] = '\0';

                        msg("Dumping volume %d on %s\n", tapeno, tape);
                }
                else if (nexttape || strchr(tapeprefix, ',')) {
                        msg("Dumping volume %d on %s\n", tapeno, tape);
                }
                else if (nexttape || strchr(tapeprefix, ',')) {


@@ -727,8 +727,8 @@ restore_check_point:
                                nexttape = p + 1;
                        } else
                                nexttape = NULL;
                                nexttape = p + 1;
                        } else
                                nexttape = NULL;

-                       strncpy(tape, tapeprefix, NAME_MAX);
-                       tape[NAME_MAX - 1] = '\0';
+                       strncpy(tape, tapeprefix, MAXPATHLEN);
+                       tape[MAXPATHLEN - 1] = '\0';

                        msg("Dumping volume %d on %s\n", tapeno, tape);
                }
 #ifdef RDUMP
                        msg("Dumping volume %d on %s\n", tapeno, tape);
                }
 #ifdef RDUMP

diff --git a/restore/dirs.c b/restore/dirs.c
index 558b2b681a6718ab6e0a8fd8e3df853c4970ddd5..2d559fea248efd3078ad63a21c6eb5cf8e9098d1 100644 (file)
--- a/restore/dirs.c
+++ b/restore/dirs.c
@@ -45,7 +45,7 @@
 
 #ifndef lint
 static const char rcsid[] =
 
 #ifndef lint
 static const char rcsid[] =

-       "$Id: dirs.c,v 1.8 2000/02/10 09:42:32 stelian Exp $";
+       "$Id: dirs.c,v 1.9 2000/03/01 10:16:05 stelian Exp $";

 #endif /* not lint */
 
 #include <sys/param.h>
 #endif /* not lint */
 
 #include <sys/param.h>


@@ -396,7 +396,7 @@ putdir(char *buf, size_t size)
                        if ((dp->d_reclen & 0x3) != 0 ||
                            dp->d_reclen > i ||
                            dp->d_reclen < DIRSIZ(0, dp) ||
                        if ((dp->d_reclen & 0x3) != 0 ||
                            dp->d_reclen > i ||
                            dp->d_reclen < DIRSIZ(0, dp) ||

-                           dp->d_namlen > NAME_MAX) {
+                           dp->d_namlen > MAXNAMLEN) {

                                Vprintf(stdout, "Mangled directory: ");
                                if ((dp->d_reclen & 0x3) != 0)
                                        Vprintf(stdout,
                                Vprintf(stdout, "Mangled directory: ");
                                if ((dp->d_reclen & 0x3) != 0)
                                        Vprintf(stdout,


@@ -405,10 +405,10 @@ putdir(char *buf, size_t size)
                                        Vprintf(stdout,
                                           "reclen less than DIRSIZ (%d < %d) ",
                                           dp->d_reclen, DIRSIZ(0, dp));
                                        Vprintf(stdout,
                                           "reclen less than DIRSIZ (%d < %d) ",
                                           dp->d_reclen, DIRSIZ(0, dp));

-                               if (dp->d_namlen > NAME_MAX)
+                               if (dp->d_namlen > MAXNAMLEN)

                                        Vprintf(stdout,
                                           "reclen name too big (%d > %d) ",
                                        Vprintf(stdout,
                                           "reclen name too big (%d > %d) ",

-                                          dp->d_namlen, NAME_MAX);
+                                          dp->d_namlen, MAXNAMLEN);

                                Vprintf(stdout, "\n");
                                loc += i;
                                continue;
                                Vprintf(stdout, "\n");
                                loc += i;
                                continue;

diff --git a/restore/symtab.c b/restore/symtab.c
index f44b5c65c1124d6ce40227d09abe3bee897a43eb..740165b241631814a54eef7c65ef1ea7ea04e6c3 100644 (file)
--- a/restore/symtab.c
+++ b/restore/symtab.c
@@ -40,7 +40,7 @@
 
 #ifndef lint
 static const char rcsid[] =
 
 #ifndef lint
 static const char rcsid[] =

-       "$Id: symtab.c,v 1.7 2000/01/21 10:17:41 stelian Exp $";
+       "$Id: symtab.c,v 1.8 2000/03/01 10:16:05 stelian Exp $";

 #endif /* not lint */
 
 /*
 #endif /* not lint */
 
 /*


@@ -391,7 +391,7 @@ struct strhdr {
 #define STRTBLINCR     (sizeof(struct strhdr))
 #define allocsize(size)        (((size) + 1 + STRTBLINCR - 1) & ~(STRTBLINCR - 1))
 
 #define STRTBLINCR     (sizeof(struct strhdr))
 #define allocsize(size)        (((size) + 1 + STRTBLINCR - 1) & ~(STRTBLINCR - 1))
 

-static struct strhdr strtblhdr[allocsize(NAME_MAX) / STRTBLINCR];
+static struct strhdr strtblhdr[allocsize(MAXNAMLEN) / STRTBLINCR];

 
 /*
  * Allocate space for a name. It first looks to see if it already
 
 /*
  * Allocate space for a name. It first looks to see if it already

diff --git a/restore/tape.c b/restore/tape.c
index 416a5c1d4031cd891bf12bc9b02093e57886152f..0489574a5f9730acf59697b000281a5907deca64 100644 (file)
--- a/restore/tape.c
+++ b/restore/tape.c
@@ -45,7 +45,7 @@
 
 #ifndef lint
 static const char rcsid[] =
 
 #ifndef lint
 static const char rcsid[] =

-       "$Id: tape.c,v 1.11 2000/01/21 10:17:41 stelian Exp $";
+       "$Id: tape.c,v 1.12 2000/03/01 10:16:05 stelian Exp $";

 #endif /* not lint */
 
 #include <sys/param.h>
 #endif /* not lint */
 
 #include <sys/param.h>


@@ -81,8 +81,8 @@ static const char rcsid[] =
 static long    fssize = MAXBSIZE;
 static int     mt = -1;
 static int     pipein = 0;
 static long    fssize = MAXBSIZE;
 static int     mt = -1;
 static int     pipein = 0;

-static char    magtape[NAME_MAX];
-static char    magtapeprefix[NAME_MAX];
+static char    magtape[MAXPATHLEN];
+static char    magtapeprefix[MAXPATHLEN];

 static int     blkcnt;
 static int     numtrec;
 static char    *tapebuf;
 static int     blkcnt;
 static int     numtrec;
 static char    *tapebuf;


@@ -165,13 +165,13 @@ setinput(char *source)
        }
        setuid(getuid());       /* no longer need or want root privileges */
        if (Mflag) {
        }
        setuid(getuid());       /* no longer need or want root privileges */
        if (Mflag) {

-               strncpy(magtapeprefix, source, NAME_MAX);
-               magtapeprefix[NAME_MAX-1] = '\0';
-               snprintf(magtape, NAME_MAX, "%s%03d", source, 1);
+               strncpy(magtapeprefix, source, MAXPATHLEN);
+               magtapeprefix[MAXPATHLEN-1] = '\0';
+               snprintf(magtape, MAXPATHLEN, "%s%03d", source, 1);

        }
        else
        }
        else

-               strncpy(magtape, source, NAME_MAX);
-       magtape[NAME_MAX - 1] = '\0';
+               strncpy(magtape, source, MAXPATHLEN);
+       magtape[MAXPATHLEN - 1] = '\0';

 }
 
 void
 }
 
 void


@@ -361,8 +361,8 @@ again:
        }
        closemt();
        if (Mflag) {
        }
        closemt();
        if (Mflag) {

-               snprintf(magtape, NAME_MAX, "%s%03ld", magtapeprefix, newvol);
-               magtape[NAME_MAX - 1] = '\0';
+               snprintf(magtape, MAXPATHLEN, "%s%03ld", magtapeprefix, newvol);
+               magtape[MAXPATHLEN - 1] = '\0';

        }
        if (!Mflag || haderror) {
                haderror = 0;
        }
        if (!Mflag || haderror) {
                haderror = 0;