From owner-freebsd-security Fri Oct 25 11:28:29 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA07061 for security-outgoing; Fri, 25 Oct 1996 11:28:29 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA07044 for ; Fri, 25 Oct 1996 11:28:20 -0700 (PDT) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vGqzJ-00027v-00; Fri, 25 Oct 1996 12:28:09 -0600 To: Bill Paul Subject: Re: Vadim Kolontsov: BoS: Linux & BSD's lpr exploit Cc: freebsd-security@freebsd.org In-reply-to: Your message of "Fri, 25 Oct 1996 14:20:21 EDT." <199610251820.OAA26055@skynet.ctr.columbia.edu> References: <199610251820.OAA26055@skynet.ctr.columbia.edu> Date: Fri, 25 Oct 1996 12:28:09 -0600 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199610251820.OAA26055@skynet.ctr.columbia.edu> Bill Paul writes: : ! while (p1 < (char *)&buf + BUFSIZ && (c = *p2++) != '\0') { ... : Yes this will silently truncate the string, but if the printer subsystem : isn't smart enough to deal with this gracefully then it's no damn good : anyway. :) :-). I just installed a variation of this from OpenBSD. I think that the above patch has a fencepost error in it. What happens when you get more than BUFSIZ bytes? The first test will fail when buf is exactly full. However, one more byte is written after the loop ends, which will overflow onto the stack. Maybe it is harmless, but you never can tell. See my last mail in security for other reasons why my patch is completely bogus and for the patch I applied. lpd may not be able to handle the long lines due to its use of fixed buffers everywhere. Also, my patch dumps core the first time through the loop (that will teach me to post w/o testing :-). Warner