Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 19 Jul 2001 20:59:48 +0300
From:      Ruslan Ermilov <ru@FreeBSD.ORG>
To:        Matt Dillon <dillon@earth.backplane.com>
Cc:        security@FreeBSD.ORG
Subject:   Re: [PATCH] Re: FreeBSD remote root exploit ?
Message-ID:  <20010719205948.D67829@sunbay.com>
In-Reply-To: <200107191752.f6JHqer75736@earth.backplane.com>; from dillon@earth.backplane.com on Thu, Jul 19, 2001 at 10:52:40AM -0700
References:  <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <014d01c11031$bdab5a10$2001a8c0@clitoris> <20010719201407.B61061@sunbay.com> <003701c11077$b3125400$0d00a8c0@alexus> <3B5718A0.2B650C9C@oksala.org> <200107191752.f6JHqer75736@earth.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Thu, Jul 19, 2001 at 10:52:40AM -0700, Matt Dillon wrote:
> 
> :go to /usr/src/crypto/telnet/telnetd
> :and type
> :shell~# patch -p < /where/is/the/file.patch
> 
>     It isn't really safe code.  If the data being formatted is large
>     r then the format argument you can overflow the buffer, and the
>     'ret' from vsnprintf() is the amount of data that would have been
>     output if the buffer had been large enough, not the amount of data
>     that was actually output.  Also, size_t is unsigned, which means
>     if you overflow the buffer by one byte you are screwed.
> 
>     There appear to be a number of places (mainly the DIAG code, but also
>     the ENCRYPT code) where this is true.  This patch will fix the existing
>     options-based hole, but doesn't close it.
> 
Doesn't this handle this?

int
output_data(const char *format, ...)
{
        va_list args;
        size_t remaining, ret;
        va_start(args, format);
        remaining = BUFSIZ - (nfrontp - netobuf);
        /* try a netflush() if the room is too low */
        if (strlen(format) > remaining || BUFSIZ / 4 > remaining) {
            ^^^^^^^^^^^^^^^^^^^^^^^^^^
                netflush();
                remaining = BUFSIZ - (nfrontp - netobuf);
        }
        ret = vsnprintf(nfrontp, remaining, format, args);
        nfrontp += ret;
        va_end(args);
        return ret;
}

-- 
Ruslan Ermilov		Oracle Developer/DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010719205948.D67829>