Site Navigation

Date:      Thu, 19 Jul 2001 21:59:57 +0300
From:      Ruslan Ermilov <ru@FreeBSD.org>
To:        Matt Dillon <dillon@earth.backplane.com>
Cc:        Assar Westerlund <assar@FreeBSD.org>, security@FreeBSD.org
Subject:   Re: [PATCH] Re: FreeBSD remote root exploit ?
Message-ID:  <20010719215957.A74024@sunbay.com>
In-Reply-To: <200107191817.f6JIHSJ76262@earth.backplane.com>; from dillon@earth.backplane.com on Thu, Jul 19, 2001 at 11:17:28AM -0700
References:  <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <014d01c11031$bdab5a10$2001a8c0@clitoris> <20010719201407.B61061@sunbay.com> <003701c11077$b3125400$0d00a8c0@alexus> <3B5718A0.2B650C9C@oksala.org> <200107191752.f6JHqer75736@earth.backplane.com> <20010719205948.D67829@sunbay.com> <200107191817.f6JIHSJ76262@earth.backplane.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On Thu, Jul 19, 2001 at 11:17:28AM -0700, Matt Dillon wrote:
> 
> :>     the ENCRYPT code) where this is true.  This patch will fix the existing
> :>     options-based hole, but doesn't close it.
> :> 
> :Doesn't this handle this?
> :
> :int
> :output_data(const char *format, ...)
> :{
> :        va_list args;
> :        size_t remaining, ret;
> :        va_start(args, format);
> :        remaining = BUFSIZ - (nfrontp - netobuf);
> :        /* try a netflush() if the room is too low */
> :        if (strlen(format) > remaining || BUFSIZ / 4 > remaining) {
> :            ^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
>     Nope.  What if the format is "%d" and the number is "123"?  Or
>     that format is "%s" and the argument is "abcdefghijklmnopqrstuvwxyz"?
>     Then strlen(format) could be < remaining but the result of the vsnprintf()
>     could still be > remaining.
> 
>     The output_data() calls for the various options are safe, strlen(format)
>     will always be larger then the actual formatted result.  But the 
>     debugging and crypto calls to output_data() are not safe.
> 
> 						-Matt
> 
> :                netflush();
> :                remaining = BUFSIZ - (nfrontp - netobuf);
> :        }
> :        ret = vsnprintf(nfrontp, remaining, format, args);
> 
Should be fixed in state.c,v 1.7.  Thanks, Assar!


Cheers,
-- 
Ruslan Ermilov		Oracle Developer/DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010719215957.A74024>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact