From 875d2d49c1a5143da312ea18ed78486b4e25a78d Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Sun, 12 Jul 2020 19:01:52 +0200 Subject: [PATCH] chfn: Prevent buffer overflow. This is a stability fix, not a security fix, because the affected -o option can only be used by root and it takes a modified passwd file. If a gecos field for a user has BUFSIZ characters without commas and an equals sign (i.e. a huge slop/extra field) and chfn is called with -o, then a buffer overflow occurs. It is not possible to trigger this with shadow tools. Therefore, the passwd file must be modified manually. I have fixed this unlikely case the easiest and cleanest way possible. Since chfn bails out if more than 80 characters excluding commas are supposed to be written into gecos field, we can stop processing early on if -o argument is too long. Signed-off-by: Tobias Stoeckmann --- src/chfn.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/chfn.c b/src/chfn.c index b2658fcf..cfcfa351 100644 --- a/src/chfn.c +++ b/src/chfn.c @@ -61,7 +61,7 @@ static char fullnm[BUFSIZ]; static char roomno[BUFSIZ]; static char workph[BUFSIZ]; static char homeph[BUFSIZ]; -static char slop[BUFSIZ]; +static char slop[BUFSIZ + 1 + 80]; static bool amroot; /* Flags */ static bool fflg = false; /* -f - set full name */ @@ -311,6 +311,11 @@ static void process_flags (int argc, char **argv) exit (E_NOPERM); } oflg = true; + if (strlen (optarg) > (unsigned int) 80) { + fprintf (stderr, + _("%s: fields too long\n"), Prog); + exit (E_NOPERM); + } STRFCPY (slop, optarg); break; case 'r':