From owner-freebsd-security Thu Jul 19 12: 0:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 326D037B401; Thu, 19 Jul 2001 12:00:10 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f6JIxvL74110; Thu, 19 Jul 2001 21:59:57 +0300 (EEST) (envelope-from ru) Date: Thu, 19 Jul 2001 21:59:57 +0300 From: Ruslan Ermilov To: Matt Dillon Cc: Assar Westerlund , security@FreeBSD.org Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? Message-ID: <20010719215957.A74024@sunbay.com> Mail-Followup-To: Matt Dillon , Assar Westerlund , security@FreeBSD.org References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <014d01c11031$bdab5a10$2001a8c0@clitoris> <20010719201407.B61061@sunbay.com> <003701c11077$b3125400$0d00a8c0@alexus> <3B5718A0.2B650C9C@oksala.org> <200107191752.f6JHqer75736@earth.backplane.com> <20010719205948.D67829@sunbay.com> <200107191817.f6JIHSJ76262@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107191817.f6JIHSJ76262@earth.backplane.com>; from dillon@earth.backplane.com on Thu, Jul 19, 2001 at 11:17:28AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 19, 2001 at 11:17:28AM -0700, Matt Dillon wrote: > > :> the ENCRYPT code) where this is true. This patch will fix the existing > :> options-based hole, but doesn't close it. > :> > :Doesn't this handle this? > : > :int > :output_data(const char *format, ...) > :{ > : va_list args; > : size_t remaining, ret; > : va_start(args, format); > : remaining = BUFSIZ - (nfrontp - netobuf); > : /* try a netflush() if the room is too low */ > : if (strlen(format) > remaining || BUFSIZ / 4 > remaining) { > : ^^^^^^^^^^^^^^^^^^^^^^^^^^ > > Nope. What if the format is "%d" and the number is "123"? Or > that format is "%s" and the argument is "abcdefghijklmnopqrstuvwxyz"? > Then strlen(format) could be < remaining but the result of the vsnprintf() > could still be > remaining. > > The output_data() calls for the various options are safe, strlen(format) > will always be larger then the actual formatted result. But the > debugging and crypto calls to output_data() are not safe. > > -Matt > > : netflush(); > : remaining = BUFSIZ - (nfrontp - netobuf); > : } > : ret = vsnprintf(nfrontp, remaining, format, args); > Should be fixed in state.c,v 1.7. Thanks, Assar! Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message