Bug 98733 - minicom crashes when inserting characters into existing line
minicom crashes when inserting characters into existing line
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: minicom (Show other bugs)
9
All Linux
medium Severity high
: ---
: ---
Assigned To: Eido Inoue
Brock Organ
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-07-08 00:45 EDT by David Costanzo
Modified: 2007-04-18 12:55 EDT (History)
0 users

See Also:
Fixed In Version: 2.00.0-16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-08-21 12:43:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to fix buffer overwrite (1.05 KB, patch)
2003-07-08 00:49 EDT, David Costanzo
no flags Details | Diff

  None (edit)
Description David Costanzo 2003-07-08 00:45:24 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030312

Description of problem:
minicom crashes when you insert a character near the begining of an existing
line.  By "existing line" I mean a line that has already has characters after
the insertion point.

The problem is caused by a buffer overwrite in winscar2() in window.c.   "buf",
the buffer that is overwritten, is allocated on the stack, so overwriting the
buffer munges some other stack variables.  Eventually, wputc tries to
dereference a bad pointer.

Even though this is a stack-smashing bug, I doubt this is a security risk.

Version-Release number of selected component (if applicable):
minicom-2.00.0-12

How reproducible:
Always

Steps to Reproduce:
1. Log into a terminal using minicom
2. Type "echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX".  DO NOT PRESS
ENTER.  (I can repro with about fifty chars.  YYMV).
3. Use the back arrow to get to the begining of the line.  DO NOT USE DELETE. 
It's important that the point of insertion have many characters after it.
4. Type space.

Another way to get an "existing line" is to type and execute a long line, then
press the up-arrow to retreive it from your history.

    

Actual Results:  minicom crashes by raising an "unknown signal".

Expected Results:  The character is inserted and the remainder of the line is
shifted right.

Additional info:
Comment 1 David Costanzo 2003-07-08 00:49:49 EDT
Created attachment 92789 [details]
patch to fix buffer overwrite

This patch simply restricts the number of bytes written by memcpy to be within
the bounds of buf.  Note that, while this fixes the crash, the output still
gets a little munged.  I think this is a separate bug, though.

This patch also fixes the inaccurate comment describing what winschar2() does.
Comment 2 Eido Inoue 2003-08-21 12:43:18 EDT
thanks for the patch. incorporated into release 16

Note You need to log in before you can comment on or make changes to this bug.