From owner-freebsd-security  Thu Jul 19 11:17:33 2001
Delivered-To: freebsd-security@freebsd.org
Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67])
	by hub.freebsd.org (Postfix) with ESMTP
	id F0C5A37B405; Thu, 19 Jul 2001 11:17:28 -0700 (PDT)
	(envelope-from dillon@earth.backplane.com)
Received: (from dillon@localhost)
	by earth.backplane.com (8.11.4/8.11.2) id f6JIHSJ76262;
	Thu, 19 Jul 2001 11:17:28 -0700 (PDT)
	(envelope-from dillon)
Date: Thu, 19 Jul 2001 11:17:28 -0700 (PDT)
From: Matt Dillon <dillon@earth.backplane.com>
Message-Id: <200107191817.f6JIHSJ76262@earth.backplane.com>
To: Ruslan Ermilov <ru@FreeBSD.ORG>
Cc: security@FreeBSD.ORG
Subject: Re: [PATCH] Re: FreeBSD remote root exploit ?
References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <014d01c11031$bdab5a10$2001a8c0@clitoris> <20010719201407.B61061@sunbay.com> <003701c11077$b3125400$0d00a8c0@alexus> <3B5718A0.2B650C9C@oksala.org> <200107191752.f6JHqer75736@earth.backplane.com> <20010719205948.D67829@sunbay.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


:>     the ENCRYPT code) where this is true.  This patch will fix the existing
:>     options-based hole, but doesn't close it.
:> 
:Doesn't this handle this?
:
:int
:output_data(const char *format, ...)
:{
:        va_list args;
:        size_t remaining, ret;
:        va_start(args, format);
:        remaining = BUFSIZ - (nfrontp - netobuf);
:        /* try a netflush() if the room is too low */
:        if (strlen(format) > remaining || BUFSIZ / 4 > remaining) {
:            ^^^^^^^^^^^^^^^^^^^^^^^^^^

    Nope.  What if the format is "%d" and the number is "123"?  Or
    that format is "%s" and the argument is "abcdefghijklmnopqrstuvwxyz"?
    Then strlen(format) could be < remaining but the result of the vsnprintf()
    could still be > remaining.

    The output_data() calls for the various options are safe, strlen(format)
    will always be larger then the actual formatted result.  But the 
    debugging and crypto calls to output_data() are not safe.

						-Matt

:                netflush();
:                remaining = BUFSIZ - (nfrontp - netobuf);
:        }
:        ret = vsnprintf(nfrontp, remaining, format, args);


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message