free() on stack memory

Question

I\'m supporting some c code on Solaris, and I\'ve seen something weird at least I think it is:

char new_login[64];
...
strcpy(new_login, (char *)login);
...
         


        

Answer 1

The free() is definitely a bug.
However, it's possible there's another bug here:

   strcpy(new_login, (char *)login);

If the function isn't pedantically confirming that login is 63 or fewer characters with the appropriate null termination, then this code has a classic buffer overflow bug. If a malicious party can fill login with the right bytes, they can overwrite the return pointer on the stack and execute arbitrary code. One solution is:

   new_login[sizeof(new_login)-1]='\0';
   strncpy(new_login, (char *)login, sizeof(new_login)-1 );