From owner-freebsd-current Tue Nov 23 21:15:37 1999 Delivered-To: freebsd-current@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 79EE31550A; Tue, 23 Nov 1999 21:15:35 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 6AE4F1CD7F5 for ; Tue, 23 Nov 1999 21:15:35 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Tue, 23 Nov 1999 21:15:35 -0800 (PST) From: Kris Kennaway To: current@freebsd.org Subject: Overflow in banner(1) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In the spirit of the newly-formed FreeBSD Auditing Project, I present: % banner `perl -e 'print "a"x2000'` Segmentation fault(core dumped) ----- The problem is a trivial one. From /usr/src/usr.bin/banner/banner.c: /* * banner - prints large signs * banner [-w#] [-d] [-t] message ... */ #define MAXMSG 1024 ... char message[MAXMSG]; ... /* Have now read in the data. Next get the message to be printed. */ if (*argv) { strcpy(message, *argv); while (*++argv) { strcat(message, " "); strcat(message, *argv); } nchars = strlen(message); } else { ---- Bzzzt! Wrong! OpenBSD were never vulnerable to this because they seem to use a different banner(1) than we do. The issue of whether or not this is likely to be a serious security risk is left as an exercise to the reader :-) I'll commit this tomorrow (just wanted to get in a 'first post!' :-).. Kris Index: banner.c =================================================================== RCS file: /home/ncvs/src/usr.bin/banner/banner.c,v retrieving revision 1.6 diff -u -r1.6 banner.c --- banner.c 1999/04/19 04:05:25 1.6 +++ banner.c 1999/12/23 10:18:50 @@ -1058,15 +1058,15 @@ /* Have now read in the data. Next get the message to be printed. */ if (*argv) { - strcpy(message, *argv); + strncpy(message, *argv, MAXMSG); while (*++argv) { - strcat(message, " "); - strcat(message, *argv); + strlcat(message, " ", MAXMSG); + strlcat(message, *argv, MAXMSG); } nchars = strlen(message); } else { fprintf(stderr,"Message: "); - (void)fgets(message, sizeof(message), stdin); + (void)fgets(message, MAXMSG, stdin); nchars = strlen(message); message[nchars--] = '\0'; /* get rid of newline */ } ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message