From owner-cvs-all  Mon Mar 12 15: 0:59 2001
Delivered-To: cvs-all@freebsd.org
Received: from privatecube.privatelabs.com (privatecube.privatelabs.com [63.114.185.254])
	by hub.freebsd.org (Postfix) with ESMTP
	id B21DA37B718; Mon, 12 Mar 2001 15:00:49 -0800 (PST)
	(envelope-from mi@misha.privatelabs.com)
Received: from misha.privatelabs.com (root@misha.plten [10.0.0.106])
	by privatecube.privatelabs.com (8.9.3/8.9.2) with ESMTP id SAA12765;
	Mon, 12 Mar 2001 18:21:05 -0500
Received: from misha.privatelabs.com (mi@localhost [127.0.0.1])
	by misha.privatelabs.com (8.11.1/8.11.1) with ESMTP id f2CN0gC10349;
	Mon, 12 Mar 2001 18:00:43 -0500 (EST)
	(envelope-from mi@misha.privatelabs.com)
Message-Id: <200103122300.f2CN0gC10349@misha.privatelabs.com>
Date: Mon, 12 Mar 2001 18:00:40 -0500 (EST)
From: mi@aldan.algebra.com
Subject: Re: cvs commit: ports/net/scotty3 Makefile pkg-plist ports/net/scot
 ty3/files patch-fixes scotty.c patch-ac patch-ad
To: Kris Kennaway <kris@obsecurity.org>
Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
In-Reply-To: <20010312143824.B86831@mollari.cthul.hu>
MIME-Version: 1.0
Content-Type: TEXT/plain; CHARSET=US-ASCII
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

= As I recall, there are a
= number of buffer overflows in command-line arguments of setugid programs:
 
= <command> [-flag] `perl -e 'print "a"x5000'`

Well, your note in the Makefile is:

	FORBIDDEN="Buffer overflow in ntping yielding setuid root"

Ntping's argument parsing is fairly straightforward, and the space for
the arguments is malloc-ed before writing:
	[...]
          else
            { /* any other arg is copied and scanned later: */
                int len = strlen (*argv);
                if (! cmdbuflen)
                  cmd = xmalloc (cmdbuflen = len + 5);
                else if (len + cmdlen >= cmdbuflen)
                  cmd = xrealloc (cmd, cmdbuflen = cmdlen + len + 5);
                sprintf (cmd + cmdlen, "%s%s", cmdlen ? " " : "", *argv);
                cmdlen += len + (cmdlen > 0);
            }
	[...]

My eyes are not as trained as yours, of course, but I think, it will
simply crash if the malloc/realloc fail, but that's it... Could you,
please, clarify? Thanks,

	-mi


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message