Bug 185298

Summary: dos2unix short-by-1 malloc bug causes temp-file rename failure
Product: Red Hat Enterprise Linux 4 Reporter: Buck Huppmann <buckh>
Component: dos2unixAssignee: Tim Waugh <twaugh>
Status: CLOSED DUPLICATE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-13 14:32:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
fixes the short-by-1 malloc() and fixes an inconsequential double-close() none

Description Buck Huppmann 2006-03-13 14:29:25 UTC
Description of problem:
dos2unix short-by-1 malloc error causes buffer overrun in rename(), thus
leading to failure

Version-Release number of selected component (if applicable):
3.1-21

How reproducible:
on IA32, at least,
dos2unix /path/that's/multiple/of/4/bytes/file

Steps to Reproduce:
1. as above
2.
3.
  
Actual results:
dos2unix: converting file /path/that's/multiple/of/4/bytes/file  to UNIX format ...
dos2unix: problems renaming '/path/that's/multiple/of/4/bytes/d2utmp8tkzlo^A^O'
to '/path/that's/multiple/of/4/bytes/file'
          output file remains in '/tmp/fsrdata/temp/m1olt00/moebs/d2utmp8tkzlo^A^O'
dos2unix: problems converting file /path/that's/multiple/of/4/bytes/file

in the above, not the presence of the ^A^O (meant to represent the control
characters) at the end of the mkstemp()-derived temp file name. in an strace(1),
the same garbage shows up at the end of the failed rename() syscall, but not
in the mkstemp()'s open() syscall

Expected results:
dos2unix: converting file /path/that's/multiple/of/4/bytes/file  to UNIX format ...

Additional info:
looks like mkstemp() creates the file and stuffs the file name in the too-small
buffer OK but that rename() and even the *printf()'s read beyond the end of the
buffer because the terminal null gets overwritten by something else on the heap

Comment 1 Buck Huppmann 2006-03-13 14:29:25 UTC
Created attachment 126038 [details]
fixes the short-by-1 malloc() and fixes an inconsequential double-close()

Comment 2 Tim Waugh 2006-03-13 14:32:05 UTC

*** This bug has been marked as a duplicate of 174016 ***