Page MenuHomeFreeBSD

Prevent buffer overrun in tzsetup (for -C with overly large parameter)
AcceptedPublic

Authored by se on Jan 22 2019, 1:56 PM.

Details

Reviewers
hselasky
Group Reviewers
Src Committers
Summary

The tzsetup command has been included in a CI report due to its use of strcpy(). While this particular use is save and the report is a false positive given the constant strings copied in to a PATH_MAX sized buffer, there is an actual potential buffer overrun nearby where the unbounded size value of chrootenv is assigned to fixed size buffers.

While the strcpy() uses are safe unless the _PATH_* defines are changed, I propose to silence the CI report by use of strlcpy.
The sprintf() calls are replaced by snprintf() to prevent overflow. (Not reported by CI.)

Test Plan

Build the tzsetup binary with the patch.
Assert that there are no compiler warnings/errors.
Verify that the command still operates correctly (finds the required files with and without "-C chrootenv").

Diff Detail

Repository
rS FreeBSD src repository
Lint
Lint Skipped
Unit
Unit Tests Skipped
Build Status
Buildable 22072

Event Timeline

se created this revision.Jan 22 2019, 1:56 PM
emaste added a subscriber: emaste.Jan 22 2019, 4:50 PM
hselasky accepted this revision.Jul 31 2019, 9:25 AM
This revision is now accepted and ready to land.Jul 31 2019, 9:25 AM
hselasky added inline comments.Jul 31 2019, 9:30 AM
usr.sbin/tzsetup/tzsetup.c
946

You could also compile time assert that the buffer is big enough.