Loading ...
Sorry, an error occurred while loading the content.

Re: Possible buffer overflow in dosinst.c ?

Expand Messages
  • Bram Moolenaar
    ... I ll add a note in the todo list. If an attacker manages to set your VIMRUNTIME environment variable it may already be too late. But we can fix it
    Message 1 of 2 , Feb 11, 2013
    • 0 Attachment
      Thomas Gwae wrote:

      > I just came across a possible buffer overflow in dosinst.c.
      >
      > ---- l 368 ----
      > static void
      > get_vim_env(void)
      > {
      > char *vim;
      > char buf[BUFSIZE];
      > FILE *fd;
      > char fname[BUFSIZE];
      >
      > /* First get $VIMRUNTIME. If it's set, remove the tail. */
      > vim = getenv("VIMRUNTIME");
      > if (vim != NULL && *vim != 0)
      > {
      > strcpy(buf, vim);
      > ---- l 380 ----
      >
      > We can see that if the environment variable if longer than BUFSIZE, we are in a typical case of buffer overflow.
      >
      > We know that BUFSIZE is 512 and "the maximum size of a user-defined environment variable is 32,767 characters" (http://msdn.microsoft.com/en-us/library/windows/desktop/ms682653(v=vs.85).aspx).
      >
      > This can only be "useful" if the install process is launched "as" administrator, and the "evil" user took the time to set VIMRUNTIME in adequacy.
      >
      > I apologize, but I don't have any Windows VM, so I can't check if I'm wrong.

      I'll add a note in the todo list. If an attacker manages to set your
      VIMRUNTIME environment variable it may already be too late. But we can
      fix it anyway.

      --
      Yesterday, all my deadlines seemed so far away
      now it looks as though it's freeze in four days
      oh I believe in cvs..
      [ CVS log "Beatles style" for FreeBSD ports/INDEX, Satoshi Asami ]

      /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
      /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
      \\\ an exciting new programming language -- http://www.Zimbu.org ///
      \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

      --
      --
      You received this message from the "vim_dev" maillist.
      Do not top-post! Type your reply below the text you are replying to.
      For more information, visit http://www.vim.org/maillist.php

      ---
      You received this message because you are subscribed to the Google Groups "vim_dev" group.
      To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
      For more options, visit https://groups.google.com/groups/opt_out.
    Your message has been successfully submitted and would be delivered to recipients shortly.