From owner-freebsd-security Thu Jul 19 10: 5:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from assaris.sics.se (assaris.sics.se [193.10.66.234]) by hub.freebsd.org (Postfix) with ESMTP id E3D9F37B405 for ; Thu, 19 Jul 2001 10:05:36 -0700 (PDT) (envelope-from assar@assaris.sics.se) Received: (from assar@localhost) by assaris.sics.se (8.9.3/8.9.3) id TAA14886; Thu, 19 Jul 2001 19:05:51 +0200 (CEST) (envelope-from assar) To: Matt Dillon Cc: "Jacques A. Vidrine" , Cy Schubert - ITSD Open Systems Group , Mike Tancsa , Kris Kennaway , security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com> <20010719102230.L27900@madman.nectar.com> <200107191657.f6JGvG574763@earth.backplane.com> From: Assar Westerlund Date: 19 Jul 2001 19:05:51 +0200 In-Reply-To: Matt Dillon's message of "Thu, 19 Jul 2001 09:57:16 -0700 (PDT)" Message-ID: <5llmlk26j4.fsf@assaris.sics.se> Lines: 12 User-Agent: Gnus/5.070098 (Pterodactyl Gnus v0.98) Emacs/20.6 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Matt Dillon writes: > Oh joy. Hmm. Then I don't know... it calls output_data() to generate > the AYT answer, I don't see anything particularly wrong with the code > unless nfrontp exceeds BUFSIZ. That's fragile, it could be that something > else is causing nfrontp to exceed BUFSIZ and breaks the snprintf() > 'remaining' calculation in output_data(). output_data adds the result from vsnprintf() to nfrontp. If there's not enough room for the formatted string in `remaining', vsnprintf() returns the size that would be required. Bad me, no cookie. /assar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message