chfn: Prevent buffer overflow.
This is a stability fix, not a security fix, because the affected -o option can only be used by root and it takes a modified passwd file. If a gecos field for a user has BUFSIZ characters without commas and an equals sign (i.e. a huge slop/extra field) and chfn is called with -o, then a buffer overflow occurs. It is not possible to trigger this with shadow tools. Therefore, the passwd file must be modified manually. I have fixed this unlikely case the easiest and cleanest way possible. Since chfn bails out if more than 80 characters excluding commas are supposed to be written into gecos field, we can stop processing early on if -o argument is too long. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
This commit is contained in:
parent
607f1dd549
commit
875d2d49c1
@ -61,7 +61,7 @@ static char fullnm[BUFSIZ];
|
|||||||
static char roomno[BUFSIZ];
|
static char roomno[BUFSIZ];
|
||||||
static char workph[BUFSIZ];
|
static char workph[BUFSIZ];
|
||||||
static char homeph[BUFSIZ];
|
static char homeph[BUFSIZ];
|
||||||
static char slop[BUFSIZ];
|
static char slop[BUFSIZ + 1 + 80];
|
||||||
static bool amroot;
|
static bool amroot;
|
||||||
/* Flags */
|
/* Flags */
|
||||||
static bool fflg = false; /* -f - set full name */
|
static bool fflg = false; /* -f - set full name */
|
||||||
@ -311,6 +311,11 @@ static void process_flags (int argc, char **argv)
|
|||||||
exit (E_NOPERM);
|
exit (E_NOPERM);
|
||||||
}
|
}
|
||||||
oflg = true;
|
oflg = true;
|
||||||
|
if (strlen (optarg) > (unsigned int) 80) {
|
||||||
|
fprintf (stderr,
|
||||||
|
_("%s: fields too long\n"), Prog);
|
||||||
|
exit (E_NOPERM);
|
||||||
|
}
|
||||||
STRFCPY (slop, optarg);
|
STRFCPY (slop, optarg);
|
||||||
break;
|
break;
|
||||||
case 'r':
|
case 'r':
|
||||||
|
Loading…
Reference in New Issue
Block a user