Date: Tue, 10 Dec 1996 11:29:16 +0100 From: Eivind Eklund <eivind@dimaga.com> To: bugtraq@netspace.org, bugs@freebsd.org Subject: Re: L0pht Advisory: modstat Message-ID: <3.0.32.19961210112914.009a57f0@dimaga.com>
next in thread | raw e-mail | index | archive | help
> L0pht Security Advisory
> Advisory released Dec 9 1996
>
> Application: modstat
>
> Vulnerability Scope: systems with the *BSD
> distribution of modstat sgid kmem
>
> Author: mudge@l0pht.com
>
> The problem exists in the dostat() routine where an arbitrary sized string
> is shoved into sbuf.name through a strcpy().
Here is a patch for FreeBSD 2.1.6 (should be extremely similar on other BSD
4.4 derivates)
75,80c75,77
< if (modname != NULL) {
< strncpy(sbuf.name, modname, sizeof(sbuf.name));
< sbuf.name[sizeof(sbuf.name)-1] = 0; /* Ensure termination */
< } else {
< sbuf.name[0] = 0;
< }
---
> if (modname != NULL)
> strcpy(sbuf.name, modname);
>
This also fix a minor bug with an uninitialized printf() %s parameter if
passed a NULL modname.
--
Eivind Eklund gopher://nic.follonett.no:79/0eivind
Work: eivind@dimaga.com http://www.dimaga.com/
Home: perhaps@yes.no http://maybes.yes.no/perhaps/
All of the above is a product of either your or my imagination, and not
official.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.32.19961210112914.009a57f0>