CVE-2016-6318: Stack-based buffer overflow when parsing large GECOS field

It is not safe to pass words longer than STRINGSIZE further to cracklib so the longbuffer cannot be longer than STRINGSIZE. Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=1188599 Bug-Debian: https://bugs.debian.org/834502 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1364944 Forwarded: not-needed Last-Update: 2016-08-16 Gbp-Pq: Name CVE-2016-6318.patch
2022-06-04 14:14:21 +08:00 · 2022-06-04 14:14:21 +08:00 · 6abdf68440
parent 4fcca984e4
commit 6abdf68440
1 changed files with 34 additions and 25 deletions
--- a/lib/fascist.c
+++ b/lib/fascist.c
@ -502,7 +502,7 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
    char gbuffer[STRINGSIZE];
    char tbuffer[STRINGSIZE];
    char *uwords[STRINGSIZE];
-    char longbuffer[STRINGSIZE * 2];
+    char longbuffer[STRINGSIZE];

    if (gecos == NULL)
 	gecos = "";
@ -582,6 +582,8 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
    for (j = 1; (j < gwords) && uwords[j]; j++)
    {
 	for (i = 0; i < j; i++)
+	{
+	    if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)
 	    {
 		strcpy(longbuffer, uwords[i]);
 		strcat(longbuffer, uwords[j]);
@ -598,7 +600,10 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
 		{
 		   return _("it's derived from your password entry");
 		}
+	    }

+	    if (strlen(uwords[j]) < STRINGSIZE - 1)
+	    {
 		longbuffer[0] = uwords[i][0];
 		longbuffer[1] = '\0';
 		strcat(longbuffer, uwords[j]);
@ -607,7 +612,10 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
 		{
 		    return _("it is derivable from your password entry");
 		}
+	    }

+	    if (strlen(uwords[i]) < STRINGSIZE - 1)
+	    {
 		longbuffer[0] = uwords[j][0];
 		longbuffer[1] = '\0';
 		strcat(longbuffer, uwords[i]);
@ -618,6 +626,7 @@ FascistGecosUser(char *password, const char *user, const char *gecos)
 		}
 	    }
 	}
+    }

    return NULL;
 }