Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 27 Oct 1996 08:00:02 -0800 (PST)
From:      roberto@keltia.freenix.fr (Ollivier Robert)
To:        freebsd-bugs
Subject:   Re: bin/1903: Arbitrary users can break root on systems with an SUID /sbin/route
Message-ID:  <199610271600.IAA28470@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The following reply was made to PR bin/1903; it has been noted by GNATS.

From: roberto@keltia.freenix.fr (Ollivier Robert)
To: tqbf@enteract.com
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/1903: Arbitrary users can break root on systems with an SUID /sbin/route
Date: Sun, 27 Oct 1996 16:55:46 +0100

 According to tqbf@enteract.com:
 > >Description:
 > When a user attempts to get a route entry using 'route get', route
 > does a reverse DNS lookup. It fails to check the length of the returned
 > hostname before copying it into a 50 byte buffer. 
 > 
 > Additionally, large values for the argument to the 'get' command
 > will cause 'route' to die on SIGSEGV; gdb shows the stack being
 > overwritten with this value.
 
 The following should fix it:
 
 Index: route.c
 ===================================================================
 RCS file: /spare/FreeBSD-current/src/sbin/route/route.c,v
 retrieving revision 1.15
 diff -u -2 -r1.15 route.c
 --- route.c	1996/09/14 02:59:46	1.15
 +++ route.c	1996/10/27 15:51:49
 @@ -323,5 +323,5 @@
  {
  	register char *cp;
 -	static char line[50];
 +	static char line[MAXHOSTNAMELEN + 1];
  	struct hostent *hp;
  	static char domain[MAXHOSTNAMELEN + 1];
 @@ -362,5 +362,5 @@
  		}
  		if (cp)
 -			strcpy(line, cp);
 +			snprintf(line, sizeof(line), "%s", cp);
  		else {
  			/* XXX - why not inet_ntoa()? */
 @@ -414,5 +414,5 @@
  {
  	char *cp = 0;
 -	static char line[50];
 +	static char line[MAXHOSTNAMELEN + 1];
  	struct netent *np = 0;
  	u_long net, mask;
 @@ -459,5 +459,5 @@
  		}
  		if (cp)
 -			strcpy(line, cp);
 +			snprintf(line, sizeof(line), "%s", cp);
  		else if ((in.s_addr & 0xffffff) == 0)
  			(void) sprintf(line, "%u", C(in.s_addr >> 24));
 
 -- 
 Ollivier ROBERT    -=- The daemon is FREE! -=-    roberto@keltia.freenix.fr
 FreeBSD keltia.freenix.fr 2.2-CURRENT #25: Tue Oct 15 21:13:57 MET DST 1996

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610271600.IAA28470>