Date: Fri, 14 Sep 2001 00:08:35 -0400 (EDT) From: "Andrew R. Reiter" <arr@watson.org> To: freebsd-audit@freebsd.org Subject: dungeon master patch Message-ID: <Pine.NEB.3.96L.1010914000517.11262A-200000@fledge.watson.org>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
hey,
I just started to go through -current (seemingly on default) s{g,u}id bins
and their source for security vulns. I found a few definet coding
problems in dungeon master (setgid games ;-)), however, since you can't
specify the config file, they are probably non-exploitable. but, hey,
it's being installed setgid (even if it is games), might as well use good
coding practice.
the patch is attached, and also can be found at:
http://www.watson.org/~arr/fbsd-audit/games/dm/dm.c.diff
cheers,
andrew
*-------------.................................................
| Andrew R. Reiter
| arr@fledge.watson.org
| "It requires a very unusual mind
| to undertake the analysis of the obvious" -- A.N. Whitehead
[-- Attachment #2 --]
--- dm.c.orig Thu Sep 13 22:44:25 2001
+++ dm.c Thu Sep 13 23:02:43 2001
@@ -111,15 +111,16 @@
play(args)
char **args;
{
- char pbuf[MAXPATHLEN];
+ char pbuf[MAXPATHLEN+1];
- if (sizeof(_PATH_HIDE) + strlen(game) > sizeof(pbuf)) {
+ if (sizeof(_PATH_HIDE) + strlen(game) + 1 > sizeof(pbuf)) {
(void)fprintf(stderr, "dm: %s/%s: %s\n", _PATH_HIDE, game,
strerror(ENAMETOOLONG));
exit(1);
}
- (void)strcpy(pbuf, _PATH_HIDE);
- (void)strcpy(pbuf + sizeof(_PATH_HIDE) - 1, game);
+ bzero((void *)&pbuf, MAXPATHLEN+1);
+ strlcpy(pbuf, _PATH_HIDE, sizeof(pbuf));
+ strlcat(pbuf+strlen(_PATH_HIDE), game, sizeof(pbuf)-strlen(_PATH_HIDE));
if (priority > 0) /* < 0 requires root */
(void)setpriority(PRIO_PROCESS, 0, priority);
execv(pbuf, args);
@@ -135,30 +136,37 @@
read_config()
{
FILE *cfp;
- char lbuf[BUFSIZ], f1[40], f2[40], f3[40], f4[40], f5[40];
+ char lbuf[BUFSIZ+1], f1[40], f2[40], f3[40], f4[40], f5[40];
if (!(cfp = fopen(_PATH_CONFIG, "r")))
return;
- while (fgets(lbuf, sizeof(lbuf), cfp))
+ while (fgets(lbuf, sizeof(lbuf)-1, cfp)) {
+ bzero(&f1, sizeof(f1));
+ bzero(&f2, sizeof(f2));
+ bzero(&f3, sizeof(f3));
+ bzero(&f4, sizeof(f4));
+ bzero(&f5, sizeof(f5));
switch(*lbuf) {
case 'b': /* badtty */
- if (sscanf(lbuf, "%s%s", f1, f2) != 2 ||
+ if (sscanf(lbuf, "%39s%39s", f1, f2) != 2 ||
strcasecmp(f1, "badtty"))
break;
c_tty(f2);
break;
case 'g': /* game */
- if (sscanf(lbuf, "%s%s%s%s%s",
+ if (sscanf(lbuf, "%39s%39s%39s%39s%39s",
f1, f2, f3, f4, f5) != 5 || strcasecmp(f1, "game"))
break;
c_game(f2, f3, f4, f5);
break;
case 't': /* time */
- if (sscanf(lbuf, "%s%s%s%s", f1, f2, f3, f4) != 4 ||
- strcasecmp(f1, "time"))
+ if (sscanf(lbuf, "%39s%39s%39s%39s",
+ f1, f2, f3, f4) != 4 || strcasecmp(f1, "time"))
break;
c_day(f2, f3, f4);
}
+ bzero(&lbuf, sizeof(lbuf));
+ }
(void)fclose(cfp);
}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010914000517.11262A-200000>