From owner-freebsd-security Mon Aug 5 13:02:05 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA15383 for security-outgoing; Mon, 5 Aug 1996 13:02:05 -0700 (PDT) Received: from janus.saturn.net (root@janus.saturn.net [206.42.0.10]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA15376 for ; Mon, 5 Aug 1996 13:02:03 -0700 (PDT) Received: from tcpip (tcpip [206.42.2.27]) by janus.saturn.net (8.7.4/8.6.9) with SMTP id QAA07043; Mon, 5 Aug 1996 16:01:22 -0400 Date: Mon, 5 Aug 1996 16:00:05 -0400 (EDT) From: Brian Mitchell X-Sender: brian@tcpip To: Ollivier Robert cc: Sociedade Brasileira de Quimica/Admin , security@freebsd.org Subject: Re: rlogin vulnerability? In-Reply-To: <199608050458.GAA08545@keltia.freenix.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 5 Aug 1996, Ollivier Robert wrote: > According to Sociedade Brasileira de Quimica/Admin: > > ping.c - pr_addr(l) > > Interestingly enough, the diff is about pin, not rlogin. Anyway, it was > fixed a while ago in 2.2-CURRENT: > > ---------------------------- > revision 1.6 > date: 1996/07/28 20:29:10; author: peter; state: Exp; lines: +3 -2 > Limit the risk of `buf' overrun in ping.c when printing hostnames. > > Note, this is not really a security risk, because the buffer in question > is a static variable in the data segment and not on the stack, and hence > cannot subert the flow of execution in any way. About the worst case was > that if you pinged a long hostname, ping could coredump. This is not true, the function is not used when you enter a hostname. It is used when you get a non-echoreply packet when you are in -v mode, thats the only time it is called. Brian Mitchell brian@saturn.net "I never give them hell. I just tell the truth and they think it's hell" - H. Truman