[krbdev.mit.edu #8671] minor bug in ksu

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[krbdev.mit.edu #8671] minor bug in ksu

Jeffrey Arbuckle via RT
Hello, I was looking at ksu and noticed this code from
src/clients/ksu/main.c in the 1.16 distribution assumes that argc cannot be
zero, but at least on Linux that is not true - if you pass NULL for argv to
execve(), argc will be zero.

        target_user = xstrdup(argv[1]);
        pargc = argc -1;

        if ((pargv =(char **) calloc(pargc +1,sizeof(char *)))==NULL){
            com_err(prog_name, errno, _("while allocating memory"));
            exit(1);
        }

        pargv[pargc] = NULL;
        pargv[0] = argv[0];

        for(i =1; i< pargc; i ++){
            pargv[i] = argv[i + 1];
        }
    }

I think this will just crash, because of the strdup(NULL), but if that
succeeds on any platform this code will write NULL to pargv[-1], causing
heap corruption.

(on linux execve("/usr/bin/ksu", NULL, NULL) will make argc zero, if you
want to test)

Thanks, Tavis.

_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs