From owner-freebsd-audit Fri Dec 3 21:35:46 1999 Delivered-To: freebsd-audit@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 3064414BDB; Fri, 3 Dec 1999 21:35:45 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id E38151CD7C0 for ; Fri, 3 Dec 1999 21:35:44 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Fri, 3 Dec 1999 21:35:44 -0800 (PST) From: Kris Kennaway To: audit@freebsd.org Subject: Buffer overflows in libc (yp) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Can someone take a look over the attached patch against lib/libc/yp/yplib.c, which fixes two buffer overflows in the YP code? This is manifested in, e.g. 'ypcat -d $BIGBUF' which presently overflows and smashes the stack. Kris Index: yp/yplib.c =================================================================== RCS file: /home/ncvs//src/lib/libc/yp/yplib.c,v retrieving revision 1.31 diff -u -r1.31 yplib.c --- yplib.c 1999/08/28 00:02:58 1.31 +++ yplib.c 1999/12/04 05:23:10 @@ -29,7 +29,7 @@ */ #ifndef LINT -static char *rcsid = "$FreeBSD$"; +static char *rcsid = "$FreeBSD: src/lib/libc/yp/yplib.c,v 1.31 1999/08/28 00:02:58 peter Exp $"; #endif #include @@ -372,7 +372,7 @@ ysd->dom_client = NULL; ysd->dom_socket = -1; } - sprintf(path, "%s/%s.%d", BINDINGDIR, dom, 2); + snprintf(path, sizeof(path), "%s/%s.%d", BINDINGDIR, dom, 2); if( (fd=open(path, O_RDONLY)) == -1) { /* no binding file, YP is dead. */ /* Try to bring it back to life. */ @@ -503,7 +503,7 @@ *(u_short *)&ypbr.ypbind_resp_u.ypbind_bindinfo.ypbind_binding_port; gotit: ysd->dom_vers = YPVERS; - strcpy(ysd->dom_domain, dom); + strlcpy(ysd->dom_domain, dom, sizeof(ysd->dom_domain)-1); } /* Don't rebuild the connection to the server unless we have to. */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message