Date: Fri, 25 Oct 1996 12:28:09 -0600 From: Warner Losh <imp@village.org> To: Bill Paul <wpaul@skynet.ctr.columbia.edu> Cc: freebsd-security@freebsd.org Subject: Re: Vadim Kolontsov: BoS: Linux & BSD's lpr exploit Message-ID: <E0vGqzJ-00027v-00@rover.village.org> In-Reply-To: Your message of "Fri, 25 Oct 1996 14:20:21 EDT." <199610251820.OAA26055@skynet.ctr.columbia.edu> References: <199610251820.OAA26055@skynet.ctr.columbia.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199610251820.OAA26055@skynet.ctr.columbia.edu> Bill Paul writes:
: ! while (p1 < (char *)&buf + BUFSIZ && (c = *p2++) != '\0') {
...
: Yes this will silently truncate the string, but if the printer subsystem
: isn't smart enough to deal with this gracefully then it's no damn good
: anyway. :)
:-). I just installed a variation of this from OpenBSD. I think that
the above patch has a fencepost error in it. What happens when you
get more than BUFSIZ bytes? The first test will fail when buf is
exactly full. However, one more byte is written after the loop ends,
which will overflow onto the stack. Maybe it is harmless, but you
never can tell. See my last mail in security for other reasons why my
patch is completely bogus and for the patch I applied. lpd may not be
able to handle the long lines due to its use of fixed buffers
everywhere. Also, my patch dumps core the first time through the loop
(that will teach me to post w/o testing :-).
Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E0vGqzJ-00027v-00>