git: 3d680881f6ed - stable/15 - quot: Fix benign buffer overflow
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 20 Oct 2025 16:11:35 UTC
The branch stable/15 has been updated by des:
URL: https://cgit.FreeBSD.org/src/commit/?id=3d680881f6ed2f55079aac26cf0ded307c282563
commit 3d680881f6ed2f55079aac26cf0ded307c282563
Author: Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2025-10-17 11:54:48 +0000
Commit: Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2025-10-20 16:11:21 +0000
quot: Fix benign buffer overflow
If it encounters an inode whose owner does not have a pw entry, quot
allocates a 7-byte buffer (8 in practice, since that is the minimum
allocation size) and uses it to store the numeric uid preceded by a
hash character. This will overflow the allocated buffer if the UID
exceeds 6 decimal digits. Avoid this by using asprintf() instead.
While here, simplify the common case as well using strdup().
Reported by: Igor Gabriel Sousa e Souza <igor@bsdtrust.com>
MFC after: 3 days
Reviewed by: obiwac, emaste
Differential Revision: https://reviews.freebsd.org/D53129
(cherry picked from commit 5854d1cbab1073d78519e7ad9a6eb5726341d587)
---
usr.sbin/quot/quot.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/usr.sbin/quot/quot.c b/usr.sbin/quot/quot.c
index 4152c498371a..c11c46a500a1 100644
--- a/usr.sbin/quot/quot.c
+++ b/usr.sbin/quot/quot.c
@@ -280,14 +280,10 @@ user(uid_t uid)
usr--) {
if (!usr->name) {
usr->uid = uid;
-
if (!(pwd = getpwuid(uid))) {
- if ((usr->name = (char *)malloc(7)))
- sprintf(usr->name,"#%d",uid);
+ asprintf(&usr->name, "#%u", uid);
} else {
- if ((usr->name = (char *)
- malloc(strlen(pwd->pw_name) + 1)))
- strcpy(usr->name,pwd->pw_name);
+ usr->name = strdup(pwd->pw_name);
}
if (!usr->name)
errx(1, "allocate users");