Bug 668 - f=fopen(fname,a) causes core dump when fname contains '\n'
Summary: f=fopen(fname,a) causes core dump when fname contains '\n'
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: glibc   
(Show other bugs)
Version: 5.1
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Cristian Gafton
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-01-02 15:11 UTC by allsupjd
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-01-04 17:52:00 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description allsupjd 1999-01-02 15:11:58 UTC
Example program

--------------------=[ fopenbug.c ]=---------------------

#include <stdio.h>

int main()
{
  FILE * f;
  f = fopen("/etc/hosts\n","r");
  fclose(f);
}

---------------------------------------------------------

Upon executing, gives
Segmentation fault(core dumped)

GCC as per RH5.1, GLIBC as per RH5.1

Potentially, this could be used to crash applications
that take filenames without filtering them -- I haven't
investigated further, but attacks may be possible.

Comment 1 David Lawrence 1999-01-03 21:37:59 UTC
I was able to replicate the problem. It has been assigned to a
developer for further review.

Comment 2 Cristian Gafton 1999-01-04 17:52:59 UTC
Invalid chars in fname will yield an unspecified behavior (Single Unix
Specs ver 2). Segfault is a perfectly valid "unspecified behavior" in
this case.


Note You need to log in before you can comment on or make changes to this bug.