From owner-freebsd-bugs@FreeBSD.ORG Tue Mar 4 16:40:01 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A73E1065672 for ; Tue, 4 Mar 2008 16:40:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4875A8FC26 for ; Tue, 4 Mar 2008 16:40:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m24Ge1fD069006 for ; Tue, 4 Mar 2008 16:40:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m24Ge1lM069005; Tue, 4 Mar 2008 16:40:01 GMT (envelope-from gnats) Resent-Date: Tue, 4 Mar 2008 16:40:01 GMT Resent-Message-Id: <200803041640.m24Ge1lM069005@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, sipher Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A3EE41065670 for ; Tue, 4 Mar 2008 16:31:36 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 95A538FC1F for ; Tue, 4 Mar 2008 16:31:36 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m24GSbRp002095 for ; Tue, 4 Mar 2008 16:28:37 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.2/8.14.1/Submit) id m24GSboX002094; Tue, 4 Mar 2008 16:28:37 GMT (envelope-from nobody) Message-Id: <200803041628.m24GSboX002094@www.freebsd.org> Date: Tue, 4 Mar 2008 16:28:37 GMT From: sipher To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: misc/121359: local stack overflow in ppp X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2008 16:40:01 -0000 >Number: 121359 >Category: misc >Synopsis: local stack overflow in ppp >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Mar 04 16:40:00 UTC 2008 >Closed-Date: >Last-Modified: >Originator: sipher >Release: FreeBSD 7.0 >Organization: none >Environment: all affected. >Description: http://www.securityfocus.com/archive/82/488980/30/0/threaded Stack based overflow which is confirmed to be exploitable on FreeBSD 7.0. >How-To-Repeat: 1. Run ppp 2. type the following (or atleat some variation of) ~/~/~/~/~/~/~/~/~/~/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxx >Fix: diff --git a/usr.sbin/ppp/systems.c b/usr.sbin/ppp/systems.c index 77f06a1..0cf01d1 100644 --- a/usr.sbin/ppp/systems.c +++ b/usr.sbin/ppp/systems.c @@ -82,6 +82,10 @@ InterpretArg(const char *from, char *to) from++; while (*from != '\0') { + if (to >= endto) { + *endto = '\0'; + return from; + } switch (*from) { case '"': instring = !instring; @@ -97,6 +101,10 @@ InterpretArg(const char *from, char *to) *to++ = '\\'; /* Pass the escapes on, maybe skipping \# */ break; } + if (to >= endto) { + *endto = '\0'; + return from; + } *to++ = *from++; break; case '$': @@ -127,6 +135,10 @@ InterpretArg(const char *from, char *to) *ptr++ = *from; *ptr = '\0'; } + if (to >= endto) { + *endto = '\0'; + return from; + } if (*to == '\0') *to++ = '$'; else if ((env = getenv(to)) != NULL) { @@ -142,6 +154,10 @@ InterpretArg(const char *from, char *to) if (len == 0) pwd = getpwuid(ID0realuid()); else { + if (to + len >= endto) { + *to = '\0'; + return from; + } strncpy(to, from, len); to[len] = '\0'; pwd = getpwnam(to); Submitted by Eygene Ryabinkin (rea-sec@codelabs.ru) >Release-Note: >Audit-Trail: >Unformatted: