Date: Fri, 25 Oct 1996 12:23:05 -0600 From: Warner Losh <imp@village.org> To: security@freebsd.org Subject: lpr hole in card() Message-ID: <E0vGquP-00027O-00@rover.village.org>
next in thread | raw e-mail | index | archive | help
I've gone ahead and installed the OpenBSD fix, which is to truncate
the buffer at BUFSIZ bytes (including the trailing '\n'). My patch is
bogus: lpd might do something stupid as a result since it has a lot of
BUFSIZ sized buffers in it. It also can change where the buffer is,
and so it will overwrite free memory (assuming it doesn't dump core
first time through). This one adds a check to make sure that we're
writing inside the buffer. Here's the pseudo patch that I've applied
to lpr.c.
Comments?
static void
card(c, p2)
register int c;
register char *p2;
{
char buf[BUFSIZ];
register char *p1 = buf;
register int len = 2;
*p1++ = c;
- while ((c = *p2++) != '\0') {
+ while ((c = *p2++) != '\0' && len <= sizeof(buf)) {
*p1++ = (c == '\n') ? ' ' : c;
len++;
}
*p1++ = '\n';
write(tfd, buf, len);
}
Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E0vGquP-00027O-00>