Date: Tue, 4 Mar 2008 16:28:37 GMT From: sipher <sipherr@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/121359: local stack overflow in ppp Message-ID: <200803041628.m24GSboX002094@www.freebsd.org> Resent-Message-ID: <200803041640.m24Ge1lM069005@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 121359 >Category: misc >Synopsis: local stack overflow in ppp >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Mar 04 16:40:00 UTC 2008 >Closed-Date: >Last-Modified: >Originator: sipher >Release: FreeBSD 7.0 >Organization: none >Environment: all affected. >Description: http://www.securityfocus.com/archive/82/488980/30/0/threaded Stack based overflow which is confirmed to be exploitable on FreeBSD 7.0. >How-To-Repeat: 1. Run ppp 2. type the following (or atleat some variation of) ~/~/~/~/~/~/~/~/~/~/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxx >Fix: diff --git a/usr.sbin/ppp/systems.c b/usr.sbin/ppp/systems.c index 77f06a1..0cf01d1 100644 --- a/usr.sbin/ppp/systems.c +++ b/usr.sbin/ppp/systems.c @@ -82,6 +82,10 @@ InterpretArg(const char *from, char *to) from++; while (*from != '\0') { + if (to >= endto) { + *endto = '\0'; + return from; + } switch (*from) { case '"': instring = !instring; @@ -97,6 +101,10 @@ InterpretArg(const char *from, char *to) *to++ = '\\'; /* Pass the escapes on, maybe skipping \# */ break; } + if (to >= endto) { + *endto = '\0'; + return from; + } *to++ = *from++; break; case '$': @@ -127,6 +135,10 @@ InterpretArg(const char *from, char *to) *ptr++ = *from; *ptr = '\0'; } + if (to >= endto) { + *endto = '\0'; + return from; + } if (*to == '\0') *to++ = '$'; else if ((env = getenv(to)) != NULL) { @@ -142,6 +154,10 @@ InterpretArg(const char *from, char *to) if (len == 0) pwd = getpwuid(ID0realuid()); else { + if (to + len >= endto) { + *to = '\0'; + return from; + } strncpy(to, from, len); to[len] = '\0'; pwd = getpwnam(to); Submitted by Eygene Ryabinkin (rea-sec@codelabs.ru) >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803041628.m24GSboX002094>