Bug 668 - f=fopen(fname,a) causes core dump when fname contains '\n'
f=fopen(fname,a) causes core dump when fname contains '\n'
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: glibc (Show other bugs)
5.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Cristian Gafton
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-01-02 10:11 EST by allsupjd
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-01-04 12:52:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description allsupjd 1999-01-02 10:11:58 EST
Example program

--------------------=[ fopenbug.c ]=---------------------

#include <stdio.h>

int main()
{
  FILE * f;
  f = fopen("/etc/hosts\n","r");
  fclose(f);
}

---------------------------------------------------------

Upon executing, gives
Segmentation fault(core dumped)

GCC as per RH5.1, GLIBC as per RH5.1

Potentially, this could be used to crash applications
that take filenames without filtering them -- I haven't
investigated further, but attacks may be possible.
Comment 1 David Lawrence 1999-01-03 16:37:59 EST
I was able to replicate the problem. It has been assigned to a
developer for further review.
Comment 2 Cristian Gafton 1999-01-04 12:52:59 EST
Invalid chars in fname will yield an unspecified behavior (Single Unix
Specs ver 2). Segfault is a perfectly valid "unspecified behavior" in
this case.

Note You need to log in before you can comment on or make changes to this bug.