X-Authentication-Warning: delorie.com: mail set sender to djgpp-bounces using -f Date: Sun, 21 Aug 2005 18:48:36 +0200 From: Damien User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040804 X-Accept-Language: en-us, en MIME-Version: 1.0 Newsgroups: comp.os.msdos.djgpp Subject: Buffer overflow in _rename Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Lines: 29 Message-ID: <4308b010$0$12429$626a14ce@news.free.fr> Organization: Guest of ProXad - France NNTP-Posting-Date: 21 Aug 2005 18:47:12 MEST NNTP-Posting-Host: 82.230.26.21 X-Trace: 1124642832 news11-e.free.fr 12429 82.230.26.21:33065 X-Complaints-To: abuse AT proxad DOT net To: djgpp AT delorie DOT com DJ-Gateway: from newsgroup comp.os.msdos.djgpp Reply-To: djgpp AT delorie DOT com Hi, I am new to this list and wrote here because I am afraid there could be a buffer overflow in _rename (in src/libc/ansi/stdio/_rename.c) in case you have something like: _rename("/a", "target"); During code to bypass the Windows95 bug, source path is copied to tempfile, then last '/' searched for and X$$djren$$.$$temp$$ is copied after it (line 84), so you get into tempfile: /X$$djren$$.$$temp$$ which will overflow tempfile as is it declared has having FILENAME_MAX size. This overflow will at least modify registers that are used after and you could get some bad result (better result you could expect is an error because registers point to a not existing file). I think tempfile shall be declared char tempfile[FILENAME_MAX+20] to avoid the overflow (there is perhaps a better way for not having a '20' constant but having something related to the length of X$$djren$$.$$temp$$). But even if this is modified, I do not know how Windows will behave as it will get a filename length greater than FILENAME_MAX. Perhaps a better way is to create the temporary file on root directory ? Regards, Damien