Date: Thu, 19 Jul 2001 11:17:28 -0700 (PDT) From: Matt Dillon <dillon@earth.backplane.com> To: Ruslan Ermilov <ru@FreeBSD.ORG> Cc: security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? Message-ID: <200107191817.f6JIHSJ76262@earth.backplane.com> References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <014d01c11031$bdab5a10$2001a8c0@clitoris> <20010719201407.B61061@sunbay.com> <003701c11077$b3125400$0d00a8c0@alexus> <3B5718A0.2B650C9C@oksala.org> <200107191752.f6JHqer75736@earth.backplane.com> <20010719205948.D67829@sunbay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
:> the ENCRYPT code) where this is true. This patch will fix the existing
:> options-based hole, but doesn't close it.
:>
:Doesn't this handle this?
:
:int
:output_data(const char *format, ...)
:{
: va_list args;
: size_t remaining, ret;
: va_start(args, format);
: remaining = BUFSIZ - (nfrontp - netobuf);
: /* try a netflush() if the room is too low */
: if (strlen(format) > remaining || BUFSIZ / 4 > remaining) {
: ^^^^^^^^^^^^^^^^^^^^^^^^^^
Nope. What if the format is "%d" and the number is "123"? Or
that format is "%s" and the argument is "abcdefghijklmnopqrstuvwxyz"?
Then strlen(format) could be < remaining but the result of the vsnprintf()
could still be > remaining.
The output_data() calls for the various options are safe, strlen(format)
will always be larger then the actual formatted result. But the
debugging and crypto calls to output_data() are not safe.
-Matt
: netflush();
: remaining = BUFSIZ - (nfrontp - netobuf);
: }
: ret = vsnprintf(nfrontp, remaining, format, args);
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107191817.f6JIHSJ76262>