Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 21 Apr 1998 12:40:07 -0400 (EDT)
From:      Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
To:        Robert Watson <robert@cyrus.watson.org>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Nasty security hole in "lprm" (fwd)
Message-ID:  <199804211640.MAA27807@khavrinen.lcs.mit.edu>
In-Reply-To: <Pine.BSF.3.96.980420135732.20071A-100000@fledge.watson.org>
References:  <Pine.BSF.3.96.980420135732.20071A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

<<On Mon, 20 Apr 1998 13:57:42 -0400 (EDT), Robert Watson <robert@cyrus.watson.org> said:

> Do we got this one?

Not since I rewrote rmjob.c:rmremote():

        /*
         * Counting:
         *      4 == "\5" + remote_queue + " " + person
         *      2 * users == " " + user[i] for each user
         *      requests == asprintf results for each request
         *      1 == "\n"
         * Although laborious, doing it this way makes it possible for
         * us to process requests of indeterminate length without
         * applying an arbitrary limit.  Arbitrary Limits Are Bad (tm).
         */
        niov = 4 + 2 * users + requests + 1;
        iov = malloc(niov * sizeof *iov);
        if (iov == 0)
                fatal(pp, "out of memory");
        iov[0].iov_base = "\5";
        iov[1].iov_base = pp->remote_queue;
        iov[2].iov_base = " ";
        iov[3].iov_base = all ? "-all" : person;
        for (i = 0; i < users; i++) {
                iov[4 + 2 * i].iov_base = " ";
                iov[4 + 2 * i + 1].iov_base = user[i];
        }
        for (i = 0; i < requests; i++) {
                asprintf(&iov[4 + 2 * users + i].iov_base, " %d", requ[i]);
                if (iov[4 + 2 * users + i].iov_base == 0)
                        fatal(pp, "out of memory");
        }
        iov[4 + 2 * users + requests].iov_base = "\n";
        for (totlen = i = 0; i < niov; i++)
                totlen += (iov[i].iov_len = strlen(iov[i].iov_base));

Now, on the other hand, I make no guarantees about what the server at
the other end is going to do when presented with such a request.
(Probably barf.)

-GAWollman

--
Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
wollman@lcs.mit.edu  | O Siem / The fires of freedom 
Opinions not those of| Dance in the burning flame
MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804211640.MAA27807>