Date: Tue, 22 Oct 1996 09:20:02 -0700 (PDT) From: roberto@keltia.freenix.fr (Ollivier Robert) To: freebsd-bugs Subject: Re: bin/1863: On systems with setuid 'lpr' and defined printers, lpr breaks root Message-ID: <199610221620.JAA08429@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/1863; it has been noted by GNATS.
From: roberto@keltia.freenix.fr (Ollivier Robert)
To: tqbf@enteract.com
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/1863: On systems with setuid 'lpr' and defined printers, lpr breaks root
Date: Tue, 22 Oct 1996 18:01:43 +0200
According to tqbf@enteract.com:
> >Fix:
> card() keeps track of the length of the string as it
> copies it, and the copy takes place in a while loop. Check
> the incremented length of the string against the size of
> the temporary buffer, and break the copy as soon as the length
> is greater than the size of the buffer.
Here is a fix which truncate the input string if longer than BUFSIZ. I did
not consider it worth dynamic allocation because the strings are supposed
to be short in the control file. I've changed a sprint into snprintf while
I was here.
The lpr/* code is full of fixed buffers on the stack. Many of them can't be
exploited unless your /etc/printcap is hacked then you already ahve a
problem :-)
Thanks for the report.
Index: common_source/startdaemon.c
===================================================================
RCS file: /spare/FreeBSD-current/src/usr.sbin/lpr/common_source/startdaemon.c,v
retrieving revision 1.2
diff -u -2 -r1.2 startdaemon.c
--- startdaemon.c 1996/05/09 22:44:00 1.2
+++ startdaemon.c 1996/10/22 15:44:12
@@ -79,5 +79,5 @@
return(0);
}
- (void) sprintf(buf, "\1%s\n", printer);
+ (void) snprintf(buf, sizeof buf, "\1%s\n", printer);
n = strlen(buf);
if (write(s, buf, n) != n) {
Index: lpr/lpr.c
===================================================================
RCS file: /spare/FreeBSD-current/src/usr.sbin/lpr/lpr/lpr.c,v
retrieving revision 1.7
diff -u -2 -r1.7 lpr.c
--- lpr.c 1996/05/11 19:00:55 1.7
+++ lpr.c 1996/10/22 15:28:52
@@ -470,6 +470,11 @@
register char *p1 = buf;
register int len = 2;
+ register int ilen = strlen (p2);
*p1++ = c;
+ if (ilen > BUFSIZ) { /* avoir trashing the stack and get root */
+ ilen = BUFSIZ;
+ p2[ilen - 1] = '\0';
+ }
while ((c = *p2++) != '\0') {
*p1++ = (c == '\n') ? ' ' : c;
--
Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr
FreeBSD keltia.freenix.fr 2.2-CURRENT #25: Tue Oct 15 21:13:57 MET DST 1996
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610221620.JAA08429>