From owner-freebsd-audit@FreeBSD.ORG Sun Apr 20 01:30:38 2003 Return-Path: Delivered-To: freebsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A435A37B404 for ; Sun, 20 Apr 2003 01:30:38 -0700 (PDT) Received: from mail.gmx.net (pop.gmx.net [213.165.65.60]) by mx1.FreeBSD.org (Postfix) with SMTP id 4ECF443FAF for ; Sun, 20 Apr 2003 01:30:37 -0700 (PDT) (envelope-from sebastian.ssmoller@gmx.net) Received: (qmail 12541 invoked by uid 65534); 20 Apr 2003 08:30:35 -0000 Received: from Bb801.pppool.de (EHLO Bb801.pppool.de) (213.7.184.1) by mail.gmx.net (mp006-rz3) with SMTP; 20 Apr 2003 10:30:35 +0200 From: Sebastian Ssmoller To: Kris Kennaway In-Reply-To: <1050826585.2052.12.camel@hadriel> References: <20030420032303.GA25568@rot13.obsecurity.org> <1050826585.2052.12.camel@hadriel> Content-Type: multipart/mixed; boundary="=-H9tP6Q3bHWKXcMQMUxyw" X-Mailer: Ximian Evolution 1.0.8-3mdk Date: 20 Apr 2003 10:31:16 +0200 Message-Id: <1050827478.2737.4.camel@hadriel> Mime-Version: 1.0 X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: Freebsd Current cc: FreeBSD-audit Subject: Re: Buffer overflow in disklabel X-BeenThere: freebsd-audit@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: FreeBSD Security Audit List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2003 08:30:39 -0000 --=-H9tP6Q3bHWKXcMQMUxyw Content-Type: text/plain Content-Transfer-Encoding: 7bit sorry. seem to have a problem with my email client :-( Hope the attachment is now there... seb Am Son, 2003-04-20 um 10.16 schrieb Sebastian Ssmoller: > Hi, > I attached a patch for that problem. Can someone have a look at it? > > But one thing is still unclear to me: Why do we need 8k buffer for the > disk name? > > seb > > Am Son, 2003-04-20 um 05.23 schrieb Kris Kennaway: > > Run the following under /bin/sh (not tcsh, which - still! - has a bug > > that causes the command to hang tcsh): > > > > # disklabel `perl -e 'print "a"x51200'` > > Segmentation fault (core dumped) > > > > The responsible code is: > > > > dkname = argv[0]; > > if (dkname[0] != '/') { > > (void)sprintf(np, "%s%s%c", _PATH_DEV, dkname, 'a' + RAW_PART); > > specname = np; > > np += strlen(specname) + 1; > > } else > > specname = dkname; > > f = open(specname, op == READ ? O_RDONLY : O_RDWR); > > if (f < 0 && errno == ENOENT && dkname[0] != '/') { > > (void)sprintf(specname, "%s%s", _PATH_DEV, dkname); > > np = namebuf + strlen(specname) + 1; > > f = open(specname, op == READ ? O_RDONLY : O_RDWR); > > } > > > > i.e. overflowing an 8k buffer. Does anyone feel like fixing it? > > > > Kris > > ---- > > _______________________________________________ > freebsd-audit@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-audit > To unsubscribe, send any mail to "freebsd-audit-unsubscribe@freebsd.org" --=-H9tP6Q3bHWKXcMQMUxyw--