Bug 185298 - dos2unix short-by-1 malloc bug causes temp-file rename failure
dos2unix short-by-1 malloc bug causes temp-file rename failure
Status: CLOSED DUPLICATE of bug 174016
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: dos2unix (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-13 09:29 EST by Buck Huppmann
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-13 09:32:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
fixes the short-by-1 malloc() and fixes an inconsequential double-close() (870 bytes, patch)
2006-03-13 09:29 EST, Buck Huppmann
no flags Details | Diff

  None (edit)
Description Buck Huppmann 2006-03-13 09:29:25 EST
Description of problem:
dos2unix short-by-1 malloc error causes buffer overrun in rename(), thus
leading to failure

Version-Release number of selected component (if applicable):
3.1-21

How reproducible:
on IA32, at least,
dos2unix /path/that's/multiple/of/4/bytes/file

Steps to Reproduce:
1. as above
2.
3.
  
Actual results:
dos2unix: converting file /path/that's/multiple/of/4/bytes/file  to UNIX format ...
dos2unix: problems renaming '/path/that's/multiple/of/4/bytes/d2utmp8tkzlo^A^O'
to '/path/that's/multiple/of/4/bytes/file'
          output file remains in '/tmp/fsrdata/temp/m1olt00/moebs/d2utmp8tkzlo^A^O'
dos2unix: problems converting file /path/that's/multiple/of/4/bytes/file

in the above, not the presence of the ^A^O (meant to represent the control
characters) at the end of the mkstemp()-derived temp file name. in an strace(1),
the same garbage shows up at the end of the failed rename() syscall, but not
in the mkstemp()'s open() syscall

Expected results:
dos2unix: converting file /path/that's/multiple/of/4/bytes/file  to UNIX format ...

Additional info:
looks like mkstemp() creates the file and stuffs the file name in the too-small
buffer OK but that rename() and even the *printf()'s read beyond the end of the
buffer because the terminal null gets overwritten by something else on the heap
Comment 1 Buck Huppmann 2006-03-13 09:29:25 EST
Created attachment 126038 [details]
fixes the short-by-1 malloc() and fixes an inconsequential double-close()
Comment 2 Tim Waugh 2006-03-13 09:32:05 EST

*** This bug has been marked as a duplicate of 174016 ***

Note You need to log in before you can comment on or make changes to this bug.