Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 4 Jan 2003 19:56:46 +0100 (CET)
From:      Philipp Mergenthaler <philipp.mergenthaler@stud.uni-karlsruhe.de>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   bin/46761: buffer overflow by strcpy() in natd's argv handling
Message-ID:  <200301041856.h04Iuk4q003228@i609a.hadiko.de>

next in thread | raw e-mail | index | archive | help

>Number:         46761
>Category:       bin
>Synopsis:       buffer overflow by strcpy() in natd's argv handling
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 04 11:00:12 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Philipp Mergenthaler
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
University of Karlsruhe, Germany
>Environment:
System: FreeBSD i609a.hadiko.de 5.0-CURRENT FreeBSD 5.0-CURRENT #618: Tue Dec 31 23:18:58 CET 2002 p@i609a.hadiko.de:/usr/obj/usr/src/sys/I609 i386


	
>Description:
In src/sbin/natd/natd.c:ParseArgs() the command line arguments are asembled
into char parmBuf[256], which is then passed to ParseOption().
There it is passed (via char *strValue) to SetupPortRedirect(),
SetupProtoRedirect() or SetupAddressRedirect(), respectively.
In each of those we have:

        char            buf[128];
[...]
        strcpy (buf, parms);

which copies up to 256 chars into buf.


	
>How-To-Repeat:
	
>Fix:

In addition to replacing the strcpy()s with strlcpy() maybe those
"magic number" buffer sizes could be replaced with a macro.

Index: natd.c
===================================================================
RCS file: /ncvs/src/sbin/natd/natd.c,v
retrieving revision 1.39
diff -u -r1.39 natd.c
--- natd.c	15 Jan 2002 17:07:56 -0000	1.39
+++ natd.c	4 Jan 2003 18:25:57 -0000
@@ -1351,7 +1351,7 @@
 	int             i;
 	struct alias_link *link = NULL;
 
-	strcpy (buf, parms);
+	strlcpy (buf, parms, sizeof(buf));
 /*
  * Extract protocol.
  */
@@ -1482,7 +1482,7 @@
 	char*		protoName;
 	struct protoent *protoent;
 
-	strcpy (buf, parms);
+	strlcpy (buf, parms, sizeof(buf));
 /*
  * Extract protocol.
  */
@@ -1536,7 +1536,7 @@
 	char*		serverPool;
 	struct alias_link *link;
 
-	strcpy (buf, parms);
+	strlcpy (buf, parms, sizeof(buf));
 /*
  * Extract local address.
  */
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301041856.h04Iuk4q003228>