From owner-freebsd-bugs  Fri Feb  2 15:40:24 2001
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 8959737B4EC
	for <freebsd-bugs@hub.freebsd.org>; Fri,  2 Feb 2001 15:40:01 -0800 (PST)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f12Ne1b50303;
	Fri, 2 Feb 2001 15:40:01 -0800 (PST)
	(envelope-from gnats)
Received: from yeti.ismedia.pl (yeti.ismedia.pl [212.182.96.18])
	by hub.freebsd.org (Postfix) with SMTP id 0972637B491
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  2 Feb 2001 15:30:39 -0800 (PST)
Received: (qmail 49219 invoked from network); 2 Feb 2001 23:32:34 -0000
Received: from unknown (HELO lagoon.freebsd.lublin.pl) (212.182.115.11)
  by 0 with SMTP; 2 Feb 2001 23:32:34 -0000
Received: (qmail 70070 invoked from network); 2 Feb 2001 23:28:35 -0000
Received: from unknown (HELO riget.scene.pl) ()
  by 0 with SMTP; 2 Feb 2001 23:28:35 -0000
Received: (qmail 70066 invoked by uid 1001); 2 Feb 2001 23:28:35 -0000
Message-Id: <20010202232835.70065.qmail@riget.scene.pl>
Date: 2 Feb 2001 23:28:35 -0000
From: venglin@freebsd.lublin.pl
Reply-To: venglin@freebsd.lublin.pl
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: bin/24810: kerberosIV and heimdal ftpd is vulnerable to buffer overflow
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         24810
>Category:       bin
>Synopsis:       kerberosIV and heimdal ftpd is vulnerable to buffer overflow
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 02 15:40:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Przemyslaw Frasunek
>Release:        FreeBSD 4.2-STABLE i386
>Organization:
ISMEDIA
>Environment:

	FreeBSD 4.2-STABLE as of 3 Feb 2001.

>Description:

	KTH Kerberos5 and KerberosIV ftpd is vulnerable to strtok() based
	stack overflow.

>How-To-Repeat:

	N/A

>Fix:

--- crypto/heimdal/appl/ftp/ftpd/popen.c.orig	Sat Feb  3 00:20:07 2001
+++ crypto/heimdal/appl/ftp/ftpd/popen.c	Sat Feb  3 00:23:10 2001
@@ -66,6 +66,9 @@
 
 #include <roken.h>
 
+#define MAXUSRARGS	100
+#define MAXGLOBARGS	1000
+
 /* 
  * Special version of popen which avoids call to shell.  This ensures
  * no one may create a pipe to a hidden program as a side effect of a
@@ -103,7 +106,7 @@
 	char *cp;
 	FILE *iop;
 	int argc, gargc, pdes[2], pid;
-	char **pop, *argv[100], *gargv[1000];
+	char **pop, *argv[MAXUSRARGS], *gargv[MAXGLOBARGS];
 	char *foo;
 
 	if (strcmp(type, "r") && strcmp(type, "w"))
@@ -126,14 +129,14 @@
 
 	/* break up string into pieces */
 	foo = NULL;
-	for (argc = 0, cp = program;; cp = NULL) {
+	for (argc = 0, cp = program; argc < MAXUSRARGS; cp = NULL) {
 		if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo)))
 			break;
 	}
 
 	gargv[0] = (char*)ftp_rooted(argv[0]);
 	/* glob each piece */
-	for (gargc = argc = 1; argv[argc]; argc++) {
+	for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) {
 		glob_t gl;
 		int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
 
@@ -141,7 +144,7 @@
 		if (no_glob || glob(argv[argc], flags, NULL, &gl))
 			gargv[gargc++] = strdup(argv[argc]);
 		else
-			for (pop = gl.gl_pathv; *pop; pop++)
+			for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1); pop++)
 				gargv[gargc++] = strdup(*pop);
 		globfree(&gl);
 	}
--- crypto/kerberosIV/appl/ftp/ftpd/popen.c.orig	Sat Feb  3 00:26:04 2001
+++ crypto/kerberosIV/appl/ftp/ftpd/popen.c		Sat Feb  3 00:24:25 2001
@@ -66,6 +66,9 @@
 
 #include <roken.h>
 
+#define MAXUSRARGS	100
+#define MAXGLOBARGS	1000
+
 /* 
  * Special version of popen which avoids call to shell.  This ensures
  * no one may create a pipe to a hidden program as a side effect of a
@@ -103,7 +106,7 @@
 	char *cp;
 	FILE *iop;
 	int argc, gargc, pdes[2], pid;
-	char **pop, *argv[100], *gargv[1000];
+	char **pop, *argv[MAXUSRARGS], *gargv[MAXGLOBARGS];
 	char *foo;
 
 	if (strcmp(type, "r") && strcmp(type, "w"))
@@ -126,14 +129,14 @@
 
 	/* break up string into pieces */
 	foo = NULL;
-	for (argc = 0, cp = program;; cp = NULL) {
+	for (argc = 0, cp = program; argc < MAXUSRARGS; cp = NULL) {
 		if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo)))
 			break;
 	}
 
 	gargv[0] = (char*)ftp_rooted(argv[0]);
 	/* glob each piece */
-	for (gargc = argc = 1; argv[argc]; argc++) {
+	for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) {
 		glob_t gl;
 		int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
 
@@ -141,7 +144,7 @@
 		if (no_glob || glob(argv[argc], flags, NULL, &gl))
 			gargv[gargc++] = strdup(argv[argc]);
 		else
-			for (pop = gl.gl_pathv; *pop; pop++)
+			for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1); pop++)
 				gargv[gargc++] = strdup(*pop);
 		globfree(&gl);
 	}

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message