Date: Sat, 18 Oct 2008 22:29:43 GMT From: Jeff Blank <jfb@mr-happy.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/128216: comms/qpage buffer overflow Message-ID: <200810182229.m9IMThbB071911@www.freebsd.org> Resent-Message-ID: <200810182230.m9IMU2rN018812@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 128216 >Category: ports >Synopsis: comms/qpage buffer overflow >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Sat Oct 18 22:30:02 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Jeff Blank >Release: 7.0-RELEASE >Organization: >Environment: FreeBSD zorak.tc.mtu.edu 7.0-RELEASE-p4 FreeBSD 7.0-RELEASE-p4 #0: Sat Sep 20 05:50:38 EDT 2008 root@zorak.tc.mtu.edu:/usr/obj/usr/src/sys/ULE_POLLING i386 >Description: FreeBSD 7.0's new malloc subsystem plus certain combinations of SNPP sender, recipient, and callerid trigger a buffer overflow in srvrsnpp.c at line 704, where p->messageid, which was created with strdup(), has the contents of buff appended to it without being reallocated. As a result, the first byte of one (variable) element of 'p' (struct page) is overwritten with a (char)0 appended by strcat(), causing a blank sender, blank recipient (and silent failure), or blank message. It seems that other elements may be overwritten in this manner as well, resulting in an error message to the SNPP client. >How-To-Repeat: FreeBSD 7.0 is required to trigger the problem. It appears that one of these overwrites will occur when any page is sent with a sender/callerid of four or more bytes. Any working qpage.cf with users defined can be used. After starting the qpage daemon, submit a page with qpage -s <qpageserver> -f longsender -p recipient "message" It is not necessary to have a modem connected, only to have an existing and unused serial device as the designated modem in qpage.cf. The qpage client may display an error message and exit, which is one of the possible results of this bug. If qpage succeeds, examine the file created in /var/spool/qpage, and one of the Pager, From, or Message fields in the spool file will be blank. >Fix: attached patch Patch attached with submission follows: --- srvrsnpp.c.orig 1998-10-25 14:55:05.000000000 -0500 +++ srvrsnpp.c 2008-10-18 18:09:44.175331511 -0400 @@ -523,6 +523,7 @@ char *errmsg; char *a; char *b; + char *m; int i; int badarg; int gotpager; @@ -701,7 +702,16 @@ p->created = time(NULL); (void)sprintf(buff, "%d", pagecount++); - (void)strcat(p->messageid, buff); + m = (void *)malloc(sizeof(*m) * strlen(p->messageid) + sizeof(*m) * strlen(buff)); + if ( m == NULL ) { + message("554 Message failed (out of memory)"); + qpage_log(LOG_ERR, "snpp(): cannot allocate memory for p->messageid"); + clear_page(p, TRUE); + break; + } + (void)sprintf(m, "%s%s", p->messageid, buff); + my_free(p->messageid); + p->messageid = m; qpage_log(LOG_ALERT, "page submitted, id=%s, from=%s", p->messageid, >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810182229.m9IMThbB071911>