From owner-freebsd-bugs Tue Dec 10 02:34:43 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id CAA02941 for bugs-outgoing; Tue, 10 Dec 1996 02:34:43 -0800 (PST) Received: from nic.follonett.no (nic.follonett.no [194.198.43.10]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id CAA02936 for ; Tue, 10 Dec 1996 02:34:37 -0800 (PST) Received: (from uucp@localhost) by nic.follonett.no (8.8.3/8.8.3) with UUCP id LAA21595; Tue, 10 Dec 1996 11:33:08 +0100 (MET) Received: from oo7 (oo7.dimaga.com [192.0.0.65]) by dimaga.com (8.7.5/8.7.2) with SMTP id LAA09166; Tue, 10 Dec 1996 11:29:11 +0100 (MET) Message-Id: <3.0.32.19961210112914.009a57f0@dimaga.com> X-Sender: eivind@dimaga.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 10 Dec 1996 11:29:16 +0100 To: bugtraq@netspace.org, bugs@freebsd.org From: Eivind Eklund Subject: Re: L0pht Advisory: modstat Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > L0pht Security Advisory > Advisory released Dec 9 1996 > > Application: modstat > > Vulnerability Scope: systems with the *BSD > distribution of modstat sgid kmem > > Author: mudge@l0pht.com > > The problem exists in the dostat() routine where an arbitrary sized string > is shoved into sbuf.name through a strcpy(). Here is a patch for FreeBSD 2.1.6 (should be extremely similar on other BSD 4.4 derivates) 75,80c75,77 < if (modname != NULL) { < strncpy(sbuf.name, modname, sizeof(sbuf.name)); < sbuf.name[sizeof(sbuf.name)-1] = 0; /* Ensure termination */ < } else { < sbuf.name[0] = 0; < } --- > if (modname != NULL) > strcpy(sbuf.name, modname); > This also fix a minor bug with an uninitialized printf() %s parameter if passed a NULL modname. -- Eivind Eklund gopher://nic.follonett.no:79/0eivind Work: eivind@dimaga.com http://www.dimaga.com/ Home: perhaps@yes.no http://maybes.yes.no/perhaps/ All of the above is a product of either your or my imagination, and not official.