Date: Thu, 13 Feb 1997 23:50:51 -0700 From: Warner Losh <imp@village.org> To: Vadim Kolontsov <vadim@tversu.ac.ru> Cc: freebsd-security@freebsd.org Subject: Re: new bugs with strcpy() Message-ID: <E0vvHTv-000254-00@rover.village.org> In-Reply-To: Your message of "Wed, 12 Feb 1997 12:51:56 %2B0300." <Pine.NEB.3.95.970212122850.18936A-100000@mailserv.tversu.ac.ru> References: <Pine.NEB.3.95.970212122850.18936A-100000@mailserv.tversu.ac.ru>
index | next in thread | previous in thread | raw e-mail
In message <Pine.NEB.3.95.970212122850.18936A-100000@mailserv.tversu.ac.ru> Vadim Kolontsov writes: : For example, : static char pathname[MAXPATHLEN]; : sprintf(pathname, "%s/%s", dirp->name, filename); : } : : (of course, tftpd runs as nobody by default, but when you'll get : access to the system you can use another exploit...) And you are overflowing a static buffer which is *MUCH* harder to exploit than the stack overflows that we've read so much about. None the less, I'll be committing a fix for this at some point soon. Can't be too careful :-) : It looks that we need to check whole source tree carefully.. : Or at least apply patches to libc's strcpy() that checks stack frame. Yes. That's true. Such an effort is going on. Thanks for pointing out possible problems... Warnerhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E0vvHTv-000254-00>