Buffer overflow in disklabel

Sat Apr 19 20:23:05 PDT 2003

Run the following under /bin/sh (not tcsh, which - still! - has a bug
that causes the command to hang tcsh):

# disklabel `perl -e 'print "a"x51200'`
Segmentation fault (core dumped)

The responsible code is:

        dkname = argv[0];
        if (dkname[0] != '/') {
                (void)sprintf(np, "%s%s%c", _PATH_DEV, dkname, 'a' + RAW_PART);
                specname = np;
                np += strlen(specname) + 1;
        } else
                specname = dkname;
        f = open(specname, op == READ ? O_RDONLY : O_RDWR);
        if (f < 0 && errno == ENOENT && dkname[0] != '/') {
                (void)sprintf(specname, "%s%s", _PATH_DEV, dkname);
                np = namebuf + strlen(specname) + 1;
                f = open(specname, op == READ ? O_RDONLY : O_RDWR);
        }

i.e. overflowing an 8k buffer.  Does anyone feel like fixing it?

Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-audit/attachments/20030419/ce6bc6d6/attachment.bin