X-Authentication-Warning:	delorie.com: mail set sender to djgpp-bounces using -f
Date:	Sun, 21 Aug 2005 18:48:36 +0200
From:	Damien <damien DOT guibouret AT partition-saving DOT com>
User-Agent:	Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040804
X-Accept-Language:	en-us, en
MIME-Version:	1.0
Newsgroups:	comp.os.msdos.djgpp
Subject:	Buffer overflow in _rename
Lines:	29
Message-ID:	<4308b010$0$12429$626a14ce@news.free.fr>
Organization:	Guest of ProXad - France
NNTP-Posting-Date:	21 Aug 2005 18:47:12 MEST
NNTP-Posting-Host:	82.230.26.21
X-Trace:	1124642832 news11-e.free.fr 12429 82.230.26.21:33065
X-Complaints-To:	abuse AT proxad DOT net
To:	djgpp AT delorie DOT com
DJ-Gateway:	from newsgroup comp.os.msdos.djgpp
Reply-To:	djgpp AT delorie DOT com

Hi,

I am new to this list and wrote here because I am afraid there could be 
a buffer overflow in _rename (in src/libc/ansi/stdio/_rename.c) in case 
you have something like:
_rename("<a very long path a little lower than FILENAME_MAX bytes>/a",
         "target");

During code to bypass the Windows95 bug, source path is copied to 
tempfile, then last '/' searched for and X$$djren$$.$$temp$$ is copied 
after it (line 84), so you get into tempfile:
<a very long path a little lower than FILENAME_MAX 
bytes>/X$$djren$$.$$temp$$
which will overflow tempfile as is it declared has having FILENAME_MAX 
size. This overflow will at least modify registers that are used after 
and you could get some bad result (better result you could expect is an 
error because registers point to a not existing file).

I think tempfile shall be declared char tempfile[FILENAME_MAX+20] to 
avoid the overflow (there is perhaps a better way for not having a '20' 
constant but having something related to the length of X$$djren$$.$$temp$$).

But even if this is modified, I do not know how Windows will behave as 
it will get a filename length greater than FILENAME_MAX.
Perhaps a better way is to create the temporary file on root directory ?

Regards,

Damien

- Raw text -