Date: Wed, 7 Aug 1996 17:39:51 -0400 (EDT) From: "Charles C. Figueiredo" <marxx@doomsday.org> To: current@freebsd.org Subject: exploitable security risk Message-ID: <Pine.BSF.3.91.960807172333.16215A-100000@apocalypse.superlink.net>
next in thread | raw e-mail | index | archive | help
/usr/src/usr.bin/modstat/modstat.c does a blind strcpy from a char pointer into a 32 byte buffer. What makes this worse is that strcpy does not check len, and what's being copied into the 32 byte buffer is specified via argv. If it were a bigger buffer it'd be easier to exploit, but anyone proficient in x86 asm could probably handle 32 bytes. It's quite obvious that this is a very possible buffer overflow. I've prepared a diff from the latest modstat.c to a more secure modstat.c ;-) -- 48a49,50 > #define MNLEN 32 > 75,76c77,78 < if (modname != NULL) < strcpy(sbuf.name, modname); --- > if ( modname != NULL) > strncpy(sbuf.name, modname, MNLEN); -- ------------------------------------------------------------------------------ Charles C. Figueiredo CCF13 marxx@doomsday.org ------------------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960807172333.16215A-100000>