From owner-freebsd-bugs Thu Dec 7 3:20: 8 2000 From owner-freebsd-bugs@FreeBSD.ORG Thu Dec 7 03:20:05 2000 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 6489937B401 for ; Thu, 7 Dec 2000 03:20:05 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id eB7BK5t24681; Thu, 7 Dec 2000 03:20:05 -0800 (PST) (envelope-from gnats) Resent-Date: Thu, 7 Dec 2000 03:20:05 -0800 (PST) Resent-Message-Id: <200012071120.eB7BK5t24681@freefall.freebsd.org> Resent-From: gnats-admin@FreeBSD.org (GNATS Management) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: gnats-admin@FreeBSD.org, venglin@freebsd.lublin.pl Received: from yeti.ismedia.pl (unknown [212.182.96.18]) by hub.freebsd.org (Postfix) with SMTP id B56C637B400 for ; Thu, 7 Dec 2000 03:17:30 -0800 (PST) Received: (qmail 38050 invoked from network); 7 Dec 2000 11:17:54 -0000 Received: from unknown (HELO lagoon.freebsd.lublin.pl) (212.182.115.11) by 0 with SMTP; 7 Dec 2000 11:17:54 -0000 Received: (qmail 21560 invoked from network); 7 Dec 2000 11:19:03 -0000 Received: from unknown (HELO riget.scene.pl) (212.182.115.2) by 0 with SMTP; 7 Dec 2000 11:19:03 -0000 Received: (qmail 61677 invoked by uid 1001); 7 Dec 2000 11:16:03 -0000 Message-Id: <20001207111603.61676.qmail@riget.scene.pl> Date: 7 Dec 2000 11:16:03 -0000 From: venglin@freebsd.lublin.pl Reply-To: venglin@freebsd.lublin.pl To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/23352: [SECURITY] buffer overflow in opieftpd Resent-Sender: gnats@FreeBSD.org Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 23352 >Category: bin >Synopsis: [SECURITY] buffer overflow in opieftpd >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Dec 07 03:20:01 PST 2000 >Closed-Date: >Last-Modified: >Originator: Przemyslaw Frasunek >Release: FreeBSD 4.2-STABLE i386 >Organization: ISMEDIA >Environment: FreeBSD 4.2-STABLE as of 5th December 2000. >Description: ftpd_popen() from opieftpd contains buffer overflow. opieftpd is not compiled by default. >How-To-Repeat: N/A >Fix: --- popen.c.bak Thu Dec 7 12:11:24 2000 +++ popen.c Thu Dec 7 12:18:04 2000 @@ -82,10 +82,13 @@ #include #endif /* HAVE_STRING_H */ #include "opie.h" +#define MAXUSRARGS 100 +#define MAXGLOBARGS 1000 + char **ftpglob __P((register char *)); char **copyblk __P((char **)); VOIDRET blkfree __P((char **)); /* @@ -101,34 +104,36 @@ FILE *ftpd_popen FUNCTION((program, type), char *program AND char *type) { char *cp; FILE *iop; int argc, gargc, pdes[2]; - char **pop, *argv[100], *gargv[1000], *vv[2]; + char **pop, *argv[MAXUSRARGS], *gargv[MAXGLOBARGS], *vv[2]; if ((*type != 'r' && *type != 'w') || type[1]) return (NULL); if (pipe(pdes) < 0) return (NULL); /* break up string into pieces */ - for (argc = 0, cp = program;; cp = NULL) + for (argc = 0, cp = program; argc < MAXUSRARGS-1; cp = NULL) { if (!(argv[argc++] = strtok(cp, " \t\n"))) break; + } + argv[argc - 1] = NULL; /* glob each piece */ gargv[0] = argv[0]; - for (gargc = argc = 1; argv[argc]; argc++) { + for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) { if (!(pop = (char **) ftpglob(argv[argc]))) { /* globbing failed */ vv[0] = argv[argc]; vv[1] = NULL; pop = (char **) copyblk(vv); } argv[argc] = (char *) pop; /* save to free later */ - while (*pop && gargc < 1000) + while (*pop && gargc < MAXGLOBARGS-1) gargv[gargc++] = *pop++; } gargv[gargc] = NULL; iop = NULL; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message