Date: 2 Feb 2001 23:28:35 -0000 From: venglin@freebsd.lublin.pl To: FreeBSD-gnats-submit@freebsd.org Subject: bin/24810: kerberosIV and heimdal ftpd is vulnerable to buffer overflow Message-ID: <20010202232835.70065.qmail@riget.scene.pl>
next in thread | raw e-mail | index | archive | help
>Number: 24810
>Category: bin
>Synopsis: kerberosIV and heimdal ftpd is vulnerable to buffer overflow
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Feb 02 15:40:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: Przemyslaw Frasunek
>Release: FreeBSD 4.2-STABLE i386
>Organization:
ISMEDIA
>Environment:
FreeBSD 4.2-STABLE as of 3 Feb 2001.
>Description:
KTH Kerberos5 and KerberosIV ftpd is vulnerable to strtok() based
stack overflow.
>How-To-Repeat:
N/A
>Fix:
--- crypto/heimdal/appl/ftp/ftpd/popen.c.orig Sat Feb 3 00:20:07 2001
+++ crypto/heimdal/appl/ftp/ftpd/popen.c Sat Feb 3 00:23:10 2001
@@ -66,6 +66,9 @@
#include <roken.h>
+#define MAXUSRARGS 100
+#define MAXGLOBARGS 1000
+
/*
* Special version of popen which avoids call to shell. This ensures
* no one may create a pipe to a hidden program as a side effect of a
@@ -103,7 +106,7 @@
char *cp;
FILE *iop;
int argc, gargc, pdes[2], pid;
- char **pop, *argv[100], *gargv[1000];
+ char **pop, *argv[MAXUSRARGS], *gargv[MAXGLOBARGS];
char *foo;
if (strcmp(type, "r") && strcmp(type, "w"))
@@ -126,14 +129,14 @@
/* break up string into pieces */
foo = NULL;
- for (argc = 0, cp = program;; cp = NULL) {
+ for (argc = 0, cp = program; argc < MAXUSRARGS; cp = NULL) {
if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo)))
break;
}
gargv[0] = (char*)ftp_rooted(argv[0]);
/* glob each piece */
- for (gargc = argc = 1; argv[argc]; argc++) {
+ for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) {
glob_t gl;
int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
@@ -141,7 +144,7 @@
if (no_glob || glob(argv[argc], flags, NULL, &gl))
gargv[gargc++] = strdup(argv[argc]);
else
- for (pop = gl.gl_pathv; *pop; pop++)
+ for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1); pop++)
gargv[gargc++] = strdup(*pop);
globfree(&gl);
}
--- crypto/kerberosIV/appl/ftp/ftpd/popen.c.orig Sat Feb 3 00:26:04 2001
+++ crypto/kerberosIV/appl/ftp/ftpd/popen.c Sat Feb 3 00:24:25 2001
@@ -66,6 +66,9 @@
#include <roken.h>
+#define MAXUSRARGS 100
+#define MAXGLOBARGS 1000
+
/*
* Special version of popen which avoids call to shell. This ensures
* no one may create a pipe to a hidden program as a side effect of a
@@ -103,7 +106,7 @@
char *cp;
FILE *iop;
int argc, gargc, pdes[2], pid;
- char **pop, *argv[100], *gargv[1000];
+ char **pop, *argv[MAXUSRARGS], *gargv[MAXGLOBARGS];
char *foo;
if (strcmp(type, "r") && strcmp(type, "w"))
@@ -126,14 +129,14 @@
/* break up string into pieces */
foo = NULL;
- for (argc = 0, cp = program;; cp = NULL) {
+ for (argc = 0, cp = program; argc < MAXUSRARGS; cp = NULL) {
if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo)))
break;
}
gargv[0] = (char*)ftp_rooted(argv[0]);
/* glob each piece */
- for (gargc = argc = 1; argv[argc]; argc++) {
+ for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) {
glob_t gl;
int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
@@ -141,7 +144,7 @@
if (no_glob || glob(argv[argc], flags, NULL, &gl))
gargv[gargc++] = strdup(argv[argc]);
else
- for (pop = gl.gl_pathv; *pop; pop++)
+ for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1); pop++)
gargv[gargc++] = strdup(*pop);
globfree(&gl);
}
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010202232835.70065.qmail>