From 120e62ec5055777059ebe216b680cb219146f436 Mon Sep 17 00:00:00 2001 From: Joerg Wunsch Date: Mon, 16 Dec 1996 17:32:58 +0000 Subject: [PATCH] Fix yet another buffer overflow. :-( Vulnerable: all programs that use setlocale(LC_COLLATE), setlocale(LC_CTYPE), or setlocale(LC_ALL). The only setuid/setgid binary i've found for this is w(1). Should go into 2.2. --- lib/libc/locale/collate.c | 8 +++----- lib/libc/locale/setrunelocale.c | 6 ++---- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/lib/libc/locale/collate.c b/lib/libc/locale/collate.c index a74a1a34fb0e..79e410c1a817 100644 --- a/lib/libc/locale/collate.c +++ b/lib/libc/locale/collate.c @@ -24,7 +24,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: collate.c,v 1.8 1996/10/23 15:35:43 ache Exp $ + * $Id: collate.c,v 1.9 1996/11/26 02:49:31 ache Exp $ */ #include @@ -73,10 +73,8 @@ __collate_load_tables(encoding) __collate_load_error = save_load_error; return -1; } - strcpy(buf, _PathLocale); - strcat(buf, "/"); - strcat(buf, encoding); - strcat(buf, "/LC_COLLATE"); + (void) snprintf(buf, sizeof buf, "%s/%s/LC_COLLATE", + _PathLocale, encoding); if ((fp = fopen(buf, "r")) == NULL) { __collate_load_error = save_load_error; return -1; diff --git a/lib/libc/locale/setrunelocale.c b/lib/libc/locale/setrunelocale.c index 228efe2908a7..cf68a437a97f 100644 --- a/lib/libc/locale/setrunelocale.c +++ b/lib/libc/locale/setrunelocale.c @@ -85,10 +85,8 @@ _xpg4_setrunelocale(encoding) if (!_PathLocale) return(EFAULT); - (void) strcpy(name, _PathLocale); - (void) strcat(name, "/"); - (void) strcat(name, encoding); - (void) strcat(name, "/LC_CTYPE"); + (void) snprintf(name, sizeof name, "%s/%s/LC_CTYPE", + _PathLocale, encoding); if ((fp = fopen(name, "r")) == NULL) return(ENOENT);