Date: Fri, 25 Oct 1996 15:31:51 -0400 (EDT) From: Bill Paul <wpaul@skynet.ctr.columbia.edu> To: imp@village.org (Warner Losh) Cc: freebsd-security@freebsd.org Subject: Re: Vadim Kolontsov: BoS: Linux & BSD's lpr exploit Message-ID: <199610251931.PAA26175@skynet.ctr.columbia.edu> In-Reply-To: <E0vGqzJ-00027v-00@rover.village.org> from "Warner Losh" at Oct 25, 96 12:28:09 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Of all the gin joints in all the towns in all the world, Warner Losh had
to walk into mine and say:
> In message <199610251820.OAA26055@skynet.ctr.columbia.edu> Bill Paul writes:
> : ! while (p1 < (char *)&buf + BUFSIZ && (c = *p2++) != '\0') {
> ...
> : Yes this will silently truncate the string, but if the printer subsystem
> : isn't smart enough to deal with this gracefully then it's no damn good
> : anyway. :)
>
> :-). I just installed a variation of this from OpenBSD. I think that
> the above patch has a fencepost error in it. What happens when you
> get more than BUFSIZ bytes? The first test will fail when buf is
> exactly full. However, one more byte is written after the loop ends,
> which will overflow onto the stack. Maybe it is harmless, but you
> never can tell. See my last mail in security for other reasons why my
> patch is completely bogus and for the patch I applied. lpd may not be
> able to handle the long lines due to its use of fixed buffers
> everywhere. Also, my patch dumps core the first time through the loop
> (that will teach me to post w/o testing :-).
>
> Warner
Whups. Yeah, you're right. The assignment of the newline at the end
didn't catch my eye for some reason. I suppose it should be:
while (p1 < ((char *)&buf + BUFSIZ - 1) && (c = *p2++) != '\0') {
In any event, overrunning the buffer by one byte and possibly dumping
core is a little better than giving away a free root shell. :)
FYI: this same bug is likely to be present in lpr on SunOS (well, duh),
though obviously you'd need a different chunk of machine instructions to
exploit it.
-Bill
--
=============================================================================
-Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu
Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research
Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City
=============================================================================
"If you're ever in trouble, go to the CTR. Ask for Bill. He will help you."
=============================================================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610251931.PAA26175>