Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 25 Oct 1996 14:20:21 -0400 (EDT)
From:      Bill Paul <wpaul@skynet.ctr.columbia.edu>
To:        freebsd-security@freebsd.org
Cc:        imp@village.org
Subject:   Re: Vadim Kolontsov: BoS:      Linux & BSD's lpr exploit
Message-ID:  <199610251820.OAA26055@skynet.ctr.columbia.edu>
next in thread | raw e-mail | index | archive | help 

Somebody bounced a copy of this just a short while ago through one of
the Columbia sysadmin mailing lists.


>+       /*
>+        * Make sure that we have enough buffer for the card line to
>+        * splat out.  guard against huge requests running us out of
>+        * memory (exit when this happens).
>+        */
>+       if (buflen < strlen( p2 ) + 2) {
>+               buflen = strlen( p2 ) + 2;
>+               if (buflen < BUFSIZ)
>+                       buflen = BUFSIZ;
>+               buf = buf ? realloc( buf, buflen ) : malloc( buflen );
>+               if (!buf) {
>+                       printf("Can't get buffer for card line\n");
>+                       exit(1);
>+               }
>+       }

You were far more charitable with your fix that I was. When I patched my 
machine at home, I just did this:

*** /cdrom/usr/src/usr.sbin/lpr/lpr/lpr.c	Sun Oct  8 13:39:17 1995
--- lpr.c	Fri Oct 25 13:35:21 1996
***************
*** 481,487 ****
  	register int len = 2;
  
  	*p1++ = c;
! 	while ((c = *p2++) != '\0') {
  		*p1++ = (c == '\n') ? ' ' : c;
  		len++;
  	}
--- 481,487 ----
  	register int len = 2;
  
  	*p1++ = c;
! 	while (p1 < (char *)&buf + BUFSIZ && (c = *p2++) != '\0') {
  		*p1++ = (c == '\n') ? ' ' : c;
  		len++;
  	}

Yes this will silently truncate the string, but if the printer subsystem 
isn't smart enough to deal with this gracefully then it's no damn good 
anyway. :)

-Bill

-- 
=============================================================================
-Bill Paul            (212) 854-6020 | System Manager, Master of Unix-Fu
Work:         wpaul@ctr.columbia.edu | Center for Telecommunications Research
Home:  wpaul@skynet.ctr.columbia.edu | Columbia University, New York City
=============================================================================
 "If you're ever in trouble, go to the CTR. Ask for Bill. He will help you."
=============================================================================

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610251820.OAA26055>