From owner-freebsd-bugs  Tue Oct 22 09:20:04 1996
Return-Path: owner-bugs
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id JAA08467
          for bugs-outgoing; Tue, 22 Oct 1996 09:20:04 -0700 (PDT)
Received: (from gnats@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id JAA08429;
          Tue, 22 Oct 1996 09:20:02 -0700 (PDT)
Date: Tue, 22 Oct 1996 09:20:02 -0700 (PDT)
Message-Id: <199610221620.JAA08429@freefall.freebsd.org>
To: freebsd-bugs
Cc: 
From: roberto@keltia.freenix.fr (Ollivier Robert)
Subject: Re: bin/1863: On systems with setuid 'lpr' and defined printers, lpr breaks root
Reply-To: roberto@keltia.freenix.fr (Ollivier Robert)
Sender: owner-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

The following reply was made to PR bin/1863; it has been noted by GNATS.

From: roberto@keltia.freenix.fr (Ollivier Robert)
To: tqbf@enteract.com
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/1863: On systems with setuid 'lpr' and defined printers, lpr breaks root
Date: Tue, 22 Oct 1996 18:01:43 +0200

 According to tqbf@enteract.com:
 > >Fix:
 > card() keeps track of the length of the string as it
 > copies it, and the copy takes place in a while loop. Check
 > the incremented length of the string against the size of
 > the temporary buffer, and break the copy as soon as the length
 > is greater than the size of the buffer.
 
 Here is a fix which truncate the input string if longer than BUFSIZ. I did
 not consider it worth dynamic allocation because the strings are supposed
 to be short in the control file. I've changed a sprint into snprintf while
 I was here.
 
 The lpr/* code is full of fixed buffers on the stack. Many of them can't be
 exploited unless your /etc/printcap is hacked then you already ahve a
 problem :-)
 
 Thanks for the report.
 
 Index: common_source/startdaemon.c
 ===================================================================
 RCS file: /spare/FreeBSD-current/src/usr.sbin/lpr/common_source/startdaemon.c,v
 retrieving revision 1.2
 diff -u -2 -r1.2 startdaemon.c
 --- startdaemon.c	1996/05/09 22:44:00	1.2
 +++ startdaemon.c	1996/10/22 15:44:12
 @@ -79,5 +79,5 @@
  		return(0);
  	}
 -	(void) sprintf(buf, "\1%s\n", printer);
 +	(void) snprintf(buf, sizeof buf, "\1%s\n", printer);
  	n = strlen(buf);
  	if (write(s, buf, n) != n) {
 Index: lpr/lpr.c
 ===================================================================
 RCS file: /spare/FreeBSD-current/src/usr.sbin/lpr/lpr/lpr.c,v
 retrieving revision 1.7
 diff -u -2 -r1.7 lpr.c
 --- lpr.c	1996/05/11 19:00:55	1.7
 +++ lpr.c	1996/10/22 15:28:52
 @@ -470,6 +470,11 @@
  	register char *p1 = buf;
  	register int len = 2;
 +	register int ilen = strlen (p2);
  
  	*p1++ = c;
 +	if (ilen > BUFSIZ) {    /* avoir trashing the stack and get root */
 +		ilen = BUFSIZ;
 +		p2[ilen - 1] = '\0';
 +	}
  	while ((c = *p2++) != '\0') {
  		*p1++ = (c == '\n') ? ' ' : c;
 
 -- 
 Ollivier ROBERT    -=- The daemon is FREE! -=-    roberto@keltia.freenix.fr
 FreeBSD keltia.freenix.fr 2.2-CURRENT #25: Tue Oct 15 21:13:57 MET DST 1996