Date: 7 Dec 2000 11:16:03 -0000 From: venglin@freebsd.lublin.pl To: FreeBSD-gnats-submit@freebsd.org Subject: bin/23352: [SECURITY] buffer overflow in opieftpd Message-ID: <20001207111603.61676.qmail@riget.scene.pl> Resent-Message-ID: <200012071120.eB7BK5t24681@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 23352
>Category: bin
>Synopsis: [SECURITY] buffer overflow in opieftpd
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Dec 07 03:20:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: Przemyslaw Frasunek
>Release: FreeBSD 4.2-STABLE i386
>Organization:
ISMEDIA
>Environment:
FreeBSD 4.2-STABLE as of 5th December 2000.
>Description:
ftpd_popen() from opieftpd contains buffer overflow. opieftpd is not
compiled by default.
>How-To-Repeat:
N/A
>Fix:
--- popen.c.bak Thu Dec 7 12:11:24 2000
+++ popen.c Thu Dec 7 12:18:04 2000
@@ -82,10 +82,13 @@
#include <string.h>
#endif /* HAVE_STRING_H */
#include "opie.h"
+#define MAXUSRARGS 100
+#define MAXGLOBARGS 1000
+
char **ftpglob __P((register char *));
char **copyblk __P((char **));
VOIDRET blkfree __P((char **));
/*
@@ -101,34 +104,36 @@
FILE *ftpd_popen FUNCTION((program, type), char *program AND char *type)
{
char *cp;
FILE *iop;
int argc, gargc, pdes[2];
- char **pop, *argv[100], *gargv[1000], *vv[2];
+ char **pop, *argv[MAXUSRARGS], *gargv[MAXGLOBARGS], *vv[2];
if ((*type != 'r' && *type != 'w') || type[1])
return (NULL);
if (pipe(pdes) < 0)
return (NULL);
/* break up string into pieces */
- for (argc = 0, cp = program;; cp = NULL)
+ for (argc = 0, cp = program; argc < MAXUSRARGS-1; cp = NULL) {
if (!(argv[argc++] = strtok(cp, " \t\n")))
break;
+ }
+ argv[argc - 1] = NULL;
/* glob each piece */
gargv[0] = argv[0];
- for (gargc = argc = 1; argv[argc]; argc++) {
+ for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) {
if (!(pop = (char **) ftpglob(argv[argc]))) {
/* globbing failed */
vv[0] = argv[argc];
vv[1] = NULL;
pop = (char **) copyblk(vv);
}
argv[argc] = (char *) pop; /* save to free later */
- while (*pop && gargc < 1000)
+ while (*pop && gargc < MAXGLOBARGS-1)
gargv[gargc++] = *pop++;
}
gargv[gargc] = NULL;
iop = NULL;
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001207111603.61676.qmail>