From owner-freebsd-audit  Sat Dec  4 23: 9:24 1999
Delivered-To: freebsd-audit@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 758)
	id 4383C15177; Sat,  4 Dec 1999 23:09:22 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
	by hub.freebsd.org (Postfix) with ESMTP id 378941CD742
	for <audit@freebsd.org>; Sat,  4 Dec 1999 23:09:22 -0800 (PST)
	(envelope-from kris@hub.freebsd.org)
Date: Sat, 4 Dec 1999 23:09:22 -0800 (PST)
From: Kris Kennaway <kris@hub.freebsd.org>
To: audit@freebsd.org
Subject: arp.c patch
Message-ID: <Pine.BSF.4.21.9912042308350.34489-100000@hub.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

This one isn't likely exploitable, but it's still a small buffer overflow.
arp looks okay apart from this.

Kris

Index: arp.c
===================================================================
RCS file: /home/ncvs//src/usr.sbin/arp/arp.c,v
retrieving revision 1.19
diff -u -r1.19 arp.c
--- arp.c	1999/09/20 09:10:46	1.19
+++ arp.c	1999/12/05 07:08:16
@@ -212,8 +212,8 @@
 	args[4] = &arg[4][0];
 	retval = 0;
 	while(fgets(line, 100, fp) != NULL) {
-		i = sscanf(line, "%s %s %s %s %s", arg[0], arg[1], arg[2],
-		    arg[3], arg[4]);
+		i = sscanf(line, "%49s %49s %49s %49s %49s", arg[0], arg[1],
+		    arg[2], arg[3], arg[4])
 		if (i < 2) {
 			warnx("bad line: %s", line);
 			retval = 1;



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message