From owner-freebsd-security Sat Jun 27 14:37:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA04621 for freebsd-security-outgoing; Sat, 27 Jun 1998 14:37:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (root@time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA04616 for ; Sat, 27 Jun 1998 14:37:51 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id OAA03735; Sat, 27 Jun 1998 14:38:17 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: "Aaron D. Gifford" cc: security@FreeBSD.ORG Subject: Re: (FWD) QPOPPER REMOTE ROOT EXPLOIT In-reply-to: Your message of "Sat, 27 Jun 1998 13:04:02 MDT." <35954222.F20D2144@infowest.com> Date: Sat, 27 Jun 1998 14:38:15 -0700 Message-ID: <3731.898983495@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Does the patch to pop_msg.c take into account that a "(void)strcat(message, > "\r\n"); call appears later on and adds 2 more chars to the message buffer? Heh, no. I missed that. Here's a revised patch: --- pop_msg.c.orig Sat Jun 27 03:09:47 1998 +++ pop_msg.c Sat Jun 27 14:35:49 1998 @@ -27,6 +27,7 @@ { POP * p; int stat; /* POP status indicator */ + int l, len; /* remaining buffer length */ char * format; /* Format string for the message */ va_list ap; register char * mp; @@ -50,6 +51,7 @@ /* Point to the message buffer */ mp = message; + len = sizeof(message); /* Format the POP status code at the beginning of the message */ if (stat == POP_SUCCESS) @@ -58,17 +60,18 @@ (void)sprintf (mp,"%s ",POP_ERR); /* Point past the POP status indicator in the message message */ - mp += strlen(mp); + l = strlen(mp); + len -= l, mp += l; /* Append the message (formatted, if necessary) */ if (format) #ifdef HAVE_VPRINTF - vsprintf(mp,format,ap); + vsnprintf(mp,len,format,ap); #else # ifdef PYRAMID - (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6); + (void)snprintf(mp,len,format, arg1, arg2, arg3, arg4, arg5, arg6); # else - (void)sprintf(mp,format,((int *)ap)[0],((int *)ap)[1],((int *)ap)[2], + (void)snprintf(mp,len,format,((int *)ap)[0],((int *)ap)[1],((int *)ap)[2], ((int *)ap)[3],((int *)ap)[4]); # endif #endif @@ -87,7 +90,8 @@ (p->user ? p->user : "(null)"), p->client, message); /* Append the */ - (void)strcat(message, "\r\n"); + len -= strlen(message); + (void)strncat(message, len, "\r\n"); /* Send the message to the client */ (void)fputs(message,p->output); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message