Synopsis: gzip buffer overrun with long filename
NetBSD versions: 1.4, 1.4.1, 1.4.2, 1.4.3, 1.5, 1.5.1, 1.5.2, -current
Thanks to: Jun-ichiro itojun Hagino
Reported in NetBSD Security Advisory: NetBSD-SA2002-002

Index: gzip.c
===================================================================
RCS file: /cvsroot/gnusrc/gnu/usr.bin/gzip/gzip.c,v
retrieving revision 1.6
retrieving revision 1.6.6.1
diff -c -p -r1.6 -r1.6.6.1
*** gzip.c      1999/08/20 02:36:28     1.6
--- gzip.c      2002/01/16 10:03:34     1.6.6.1
*************** local int get_istat(iname, sbuf)
*** 1005,1011 ****
 #ifdef NO_MULTIPLE_DOTS
     char *dot; /* pointer to ifname extension, or NULL */
 #endif
!
     strcpy(ifname, iname);

     /* If input file exists, return OK. */
--- 1005,1018 ----
 #ifdef NO_MULTIPLE_DOTS
     char *dot; /* pointer to ifname extension, or NULL */
 #endif
!     int max_suffix_len = (z_len > 3 ? z_len : 3);
!
!     /* Leave enough room in ifname or ofname for suffix: */
!     if (strlen(iname) >= sizeof(ifname) - max_suffix_len) {
!       strncpy(ifname, iname, sizeof(ifname) - 1);
!       /* last byte of ifname is already zero and never overwritten */
!       error("file name too long");
!     }
     strcpy(ifname, iname);

     /* If input file exists, return OK. */

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.