InfoSect, Canberra's hackerspace, regularly runs public group sessions to perform code review and vulnerability discovery. Over the next 30 days, I'll highlight the source code of 30 unknown vulnerabilities.
Bug #27
In bsdgames/atc
typedef struct {
char name[10];
char host[256];
char game[256];
int planes;
int time;
int real_time;
} SCORE;
...
SCORE score[100], thisscore;
fprintf(stderr,
"getpwuid failed for uid %d. Who are you?\n",
(int)getuid());
return (-1);
}
strcpy(thisscore.name, pw->pw_name);
Login names can be greater than 10 bytes. Note also that the game doesn't check that dropping privs may fail, leading to a potential privileged buffer overflow.