diff options
author | joerg <joerg@FreeBSD.org> | 1996-12-16 17:32:58 +0000 |
---|---|---|
committer | joerg <joerg@FreeBSD.org> | 1996-12-16 17:32:58 +0000 |
commit | 971f474616993e9b2e653a649d0457ae5f2d1440 (patch) | |
tree | 5ecf058a45e73b7f913b30d3bd213de9e9221803 /lib/libc/locale | |
parent | 9c54862a3510bbc916453d7fe374a0f6a715bed5 (diff) | |
download | FreeBSD-src-971f474616993e9b2e653a649d0457ae5f2d1440.zip FreeBSD-src-971f474616993e9b2e653a649d0457ae5f2d1440.tar.gz |
Fix yet another buffer overflow. :-(
Vulnerable: all programs that use setlocale(LC_COLLATE),
setlocale(LC_CTYPE), or setlocale(LC_ALL). The only setuid/setgid
binary i've found for this is w(1).
Should go into 2.2.
Diffstat (limited to 'lib/libc/locale')
-rw-r--r-- | lib/libc/locale/collate.c | 8 | ||||
-rw-r--r-- | lib/libc/locale/setrunelocale.c | 6 |
2 files changed, 5 insertions, 9 deletions
diff --git a/lib/libc/locale/collate.c b/lib/libc/locale/collate.c index a74a1a3..79e410c 100644 --- a/lib/libc/locale/collate.c +++ b/lib/libc/locale/collate.c @@ -24,7 +24,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: collate.c,v 1.8 1996/10/23 15:35:43 ache Exp $ + * $Id: collate.c,v 1.9 1996/11/26 02:49:31 ache Exp $ */ #include <rune.h> @@ -73,10 +73,8 @@ __collate_load_tables(encoding) __collate_load_error = save_load_error; return -1; } - strcpy(buf, _PathLocale); - strcat(buf, "/"); - strcat(buf, encoding); - strcat(buf, "/LC_COLLATE"); + (void) snprintf(buf, sizeof buf, "%s/%s/LC_COLLATE", + _PathLocale, encoding); if ((fp = fopen(buf, "r")) == NULL) { __collate_load_error = save_load_error; return -1; diff --git a/lib/libc/locale/setrunelocale.c b/lib/libc/locale/setrunelocale.c index 228efe29..cf68a43 100644 --- a/lib/libc/locale/setrunelocale.c +++ b/lib/libc/locale/setrunelocale.c @@ -85,10 +85,8 @@ _xpg4_setrunelocale(encoding) if (!_PathLocale) return(EFAULT); - (void) strcpy(name, _PathLocale); - (void) strcat(name, "/"); - (void) strcat(name, encoding); - (void) strcat(name, "/LC_CTYPE"); + (void) snprintf(name, sizeof name, "%s/%s/LC_CTYPE", + _PathLocale, encoding); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); |