Date: 20 Apr 2003 10:31:16 +0200 From: Sebastian Ssmoller <sebastian.ssmoller@gmx.net> To: Kris Kennaway <kris@obsecurity.org> Cc: FreeBSD-audit <audit@freebsd.org> Subject: Re: Buffer overflow in disklabel Message-ID: <1050827478.2737.4.camel@hadriel> In-Reply-To: <1050826585.2052.12.camel@hadriel> References: <20030420032303.GA25568@rot13.obsecurity.org> <1050826585.2052.12.camel@hadriel>
next in thread | previous in thread | raw e-mail | index | archive | help
sorry. seem to have a problem with my email client :-( Hope the
attachment is now there...
seb
Am Son, 2003-04-20 um 10.16 schrieb Sebastian Ssmoller:
> Hi,
> I attached a patch for that problem. Can someone have a look at it?
>
> But one thing is still unclear to me: Why do we need 8k buffer for the
> disk name?
>
> seb
>
> Am Son, 2003-04-20 um 05.23 schrieb Kris Kennaway:
> > Run the following under /bin/sh (not tcsh, which - still! - has a bug
> > that causes the command to hang tcsh):
> >
> > # disklabel `perl -e 'print "a"x51200'`
> > Segmentation fault (core dumped)
> >
> > The responsible code is:
> >
> > dkname = argv[0];
> > if (dkname[0] != '/') {
> > (void)sprintf(np, "%s%s%c", _PATH_DEV, dkname, 'a' + RAW_PART);
> > specname = np;
> > np += strlen(specname) + 1;
> > } else
> > specname = dkname;
> > f = open(specname, op == READ ? O_RDONLY : O_RDWR);
> > if (f < 0 && errno == ENOENT && dkname[0] != '/') {
> > (void)sprintf(specname, "%s%s", _PATH_DEV, dkname);
> > np = namebuf + strlen(specname) + 1;
> > f = open(specname, op == READ ? O_RDONLY : O_RDWR);
> > }
> >
> > i.e. overflowing an 8k buffer. Does anyone feel like fixing it?
> >
> > Kris
>
> ----
>
> _______________________________________________
> freebsd-audit@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-audit
> To unsubscribe, send any mail to "freebsd-audit-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1050827478.2737.4.camel>