From owner-freebsd-security  Fri Oct 25 11:20:39 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id LAA06648
          for security-outgoing; Fri, 25 Oct 1996 11:20:39 -0700 (PDT)
Received: from skynet.ctr.columbia.edu (skynet.ctr.columbia.edu [128.59.64.70])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA06640
          for <freebsd-security@freebsd.org>; Fri, 25 Oct 1996 11:20:34 -0700 (PDT)
Received: (from wpaul@localhost) by skynet.ctr.columbia.edu (8.6.12/8.6.9) id OAA26055; Fri, 25 Oct 1996 14:20:22 -0400
From: Bill Paul <wpaul@skynet.ctr.columbia.edu>
Message-Id: <199610251820.OAA26055@skynet.ctr.columbia.edu>
Subject: Re: Vadim Kolontsov: BoS:      Linux & BSD's lpr exploit
To: freebsd-security@freebsd.org
Date: Fri, 25 Oct 1996 14:20:21 -0400 (EDT)
Cc: imp@village.org
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Somebody bounced a copy of this just a short while ago through one of
the Columbia sysadmin mailing lists.


>+       /*
>+        * Make sure that we have enough buffer for the card line to
>+        * splat out.  guard against huge requests running us out of
>+        * memory (exit when this happens).
>+        */
>+       if (buflen < strlen( p2 ) + 2) {
>+               buflen = strlen( p2 ) + 2;
>+               if (buflen < BUFSIZ)
>+                       buflen = BUFSIZ;
>+               buf = buf ? realloc( buf, buflen ) : malloc( buflen );
>+               if (!buf) {
>+                       printf("Can't get buffer for card line\n");
>+                       exit(1);
>+               }
>+       }

You were far more charitable with your fix that I was. When I patched my 
machine at home, I just did this:

*** /cdrom/usr/src/usr.sbin/lpr/lpr/lpr.c	Sun Oct  8 13:39:17 1995
--- lpr.c	Fri Oct 25 13:35:21 1996
***************
*** 481,487 ****
  	register int len = 2;
  
  	*p1++ = c;
! 	while ((c = *p2++) != '\0') {
  		*p1++ = (c == '\n') ? ' ' : c;
  		len++;
  	}
--- 481,487 ----
  	register int len = 2;
  
  	*p1++ = c;
! 	while (p1 < (char *)&buf + BUFSIZ && (c = *p2++) != '\0') {
  		*p1++ = (c == '\n') ? ' ' : c;
  		len++;
  	}

Yes this will silently truncate the string, but if the printer subsystem 
isn't smart enough to deal with this gracefully then it's no damn good 
anyway. :)

-Bill

-- 
=============================================================================
-Bill Paul            (212) 854-6020 | System Manager, Master of Unix-Fu
Work:         wpaul@ctr.columbia.edu | Center for Telecommunications Research
Home:  wpaul@skynet.ctr.columbia.edu | Columbia University, New York City
=============================================================================
 "If you're ever in trouble, go to the CTR. Ask for Bill. He will help you."
=============================================================================