From xemacs-m  Thu Sep 25 11:09:03 1997
Received: from newman.aventail.com (root@newman.aventail.com [199.238.236.1])
	by xemacs.org (8.8.5/8.8.5) with ESMTP id LAA19724
	for <xemacs-beta@xemacs.org>; Thu, 25 Sep 1997 11:09:00 -0500 (CDT)
Received: from kramer.in.aventail.com (wmperry@kramer.in.aventail.com [192.168.1.12])
	by newman.aventail.com (8.8.5/8.8.5) with ESMTP id JAA09414
	for <xemacs-beta@xemacs.org>; Thu, 25 Sep 1997 09:09:03 -0700 (PDT)
Received: (from wmperry@localhost)
	by kramer.in.aventail.com (8.8.5/8.8.5) id JAA19824;
	Thu, 25 Sep 1997 09:06:33 -0700
To: xemacs-beta@xemacs.org
Subject: Re: Fatal serious (security) flaw in XEmacs 19.16/20.3
References: <m2zpp22ae9.fsf@altair.xemacs.org>
Errors-to: wmperry@aventail.com
Reply-to: wmperry@aventail.com
X-Face: O~Rn;(l][/-o1sALg4A@xpE:9-"'IR[%;,,!m7</SYF`{vYQ(&RI1&EiH[FvT;J}@f!4kfz
 x_!Y#=y{Uuj9GvUi=cPuajQ(Z42R[wE@{G,sn$qGr5g/wnb*"*ktI+,CD}1Z'wxrM2ag-r0p5I6\nA
 [WJopW_J.WY;
From: wmperry@aventail.com (William M. Perry)
Date: 25 Sep 1997 09:06:33 -0700
In-Reply-To: SL Baur's message of "24 Sep 1997 23:08:30 -0700"
Message-ID: <86202dwf7a.fsf@kramer.in.aventail.com>
Lines: 34
X-Mailer: Quassia Gnus v0.9/XEmacs 20.3(beta23) - "Sarajevo"

SL Baur <steve@xemacs.org> writes:

> Please evaluate this function (in a separate invocation if you are
> reading mail in XEmacs) and report back if you *do not* see an error
> message or check to see what your system #defines MAXNAMLEN to.
> 
> (directory-files "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")
> 
> I see:
> 
> Opening directory: File name too long, #<EMACS BUG: ILLEGAL DATATYPE (#o  7) Save your buffers immediately and please report this bug>
> 
> This is actually a stack overrun, and it exists in 19.16[1].  

  Yup - definitely a stack overrun.  Not sure why it doesn't cause more bad 
things to happen (at least on linux I just get a normal error).

  {
    /* XEmacs: this should come before the opendir() because it might error. */
    Lisp_Object name_as_dir = Ffile_name_as_directory (dirname);
    CHECK_STRING (name_as_dir);
    memcpy (statbuf, ((char *) XSTRING_DATA (name_as_dir)),
           XSTRING_LENGTH (name_as_dir));
    statbuf_tail = statbuf + XSTRING_LENGTH (name_as_dir);
  }

  We should actually check XSTRING_LENGTH(name_as_dir) > MAXNAMLEN before
doing the memcpy.

  The real question is why don't we just use Fexpand_file_name and
make_string instead of mucking directly with the bufers.  Sure it will make
directory-files slower, but is that ever likely to be in bottleneck code?

-Bill P.

