From owner-freebsd-security  Tue Apr 21 09:40:55 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA09606
          for freebsd-security-outgoing; Tue, 21 Apr 1998 09:40:55 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA09505
          for <freebsd-security@FreeBSD.ORG>; Tue, 21 Apr 1998 16:40:23 GMT
          (envelope-from wollman@khavrinen.lcs.mit.edu)
Received: (from wollman@localhost)
	by khavrinen.lcs.mit.edu (8.8.8/8.8.8) id MAA27807;
	Tue, 21 Apr 1998 12:40:07 -0400 (EDT)
	(envelope-from wollman)
Date: Tue, 21 Apr 1998 12:40:07 -0400 (EDT)
From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Message-Id: <199804211640.MAA27807@khavrinen.lcs.mit.edu>
To: Robert Watson <robert@cyrus.watson.org>
Cc: freebsd-security@FreeBSD.ORG
Subject: Nasty security hole in "lprm" (fwd)
In-Reply-To: <Pine.BSF.3.96.980420135732.20071A-100000@fledge.watson.org>
References: <Pine.BSF.3.96.980420135732.20071A-100000@fledge.watson.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

<<On Mon, 20 Apr 1998 13:57:42 -0400 (EDT), Robert Watson <robert@cyrus.watson.org> said:

> Do we got this one?

Not since I rewrote rmjob.c:rmremote():

        /*
         * Counting:
         *      4 == "\5" + remote_queue + " " + person
         *      2 * users == " " + user[i] for each user
         *      requests == asprintf results for each request
         *      1 == "\n"
         * Although laborious, doing it this way makes it possible for
         * us to process requests of indeterminate length without
         * applying an arbitrary limit.  Arbitrary Limits Are Bad (tm).
         */
        niov = 4 + 2 * users + requests + 1;
        iov = malloc(niov * sizeof *iov);
        if (iov == 0)
                fatal(pp, "out of memory");
        iov[0].iov_base = "\5";
        iov[1].iov_base = pp->remote_queue;
        iov[2].iov_base = " ";
        iov[3].iov_base = all ? "-all" : person;
        for (i = 0; i < users; i++) {
                iov[4 + 2 * i].iov_base = " ";
                iov[4 + 2 * i + 1].iov_base = user[i];
        }
        for (i = 0; i < requests; i++) {
                asprintf(&iov[4 + 2 * users + i].iov_base, " %d", requ[i]);
                if (iov[4 + 2 * users + i].iov_base == 0)
                        fatal(pp, "out of memory");
        }
        iov[4 + 2 * users + requests].iov_base = "\n";
        for (totlen = i = 0; i < niov; i++)
                totlen += (iov[i].iov_len = strlen(iov[i].iov_base));

Now, on the other hand, I make no guarantees about what the server at
the other end is going to do when presented with such a request.
(Probably barf.)

-GAWollman

--
Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
wollman@lcs.mit.edu  | O Siem / The fires of freedom 
Opinions not those of| Dance in the burning flame
MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message