Date: Sat, 4 Jan 2003 19:56:46 +0100 (CET) From: Philipp Mergenthaler <philipp.mergenthaler@stud.uni-karlsruhe.de> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/46761: buffer overflow by strcpy() in natd's argv handling Message-ID: <200301041856.h04Iuk4q003228@i609a.hadiko.de>
next in thread | raw e-mail | index | archive | help
>Number: 46761 >Category: bin >Synopsis: buffer overflow by strcpy() in natd's argv handling >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jan 04 11:00:12 PST 2003 >Closed-Date: >Last-Modified: >Originator: Philipp Mergenthaler >Release: FreeBSD 5.0-CURRENT i386 >Organization: University of Karlsruhe, Germany >Environment: System: FreeBSD i609a.hadiko.de 5.0-CURRENT FreeBSD 5.0-CURRENT #618: Tue Dec 31 23:18:58 CET 2002 p@i609a.hadiko.de:/usr/obj/usr/src/sys/I609 i386 >Description: In src/sbin/natd/natd.c:ParseArgs() the command line arguments are asembled into char parmBuf[256], which is then passed to ParseOption(). There it is passed (via char *strValue) to SetupPortRedirect(), SetupProtoRedirect() or SetupAddressRedirect(), respectively. In each of those we have: char buf[128]; [...] strcpy (buf, parms); which copies up to 256 chars into buf. >How-To-Repeat: >Fix: In addition to replacing the strcpy()s with strlcpy() maybe those "magic number" buffer sizes could be replaced with a macro. Index: natd.c =================================================================== RCS file: /ncvs/src/sbin/natd/natd.c,v retrieving revision 1.39 diff -u -r1.39 natd.c --- natd.c 15 Jan 2002 17:07:56 -0000 1.39 +++ natd.c 4 Jan 2003 18:25:57 -0000 @@ -1351,7 +1351,7 @@ int i; struct alias_link *link = NULL; - strcpy (buf, parms); + strlcpy (buf, parms, sizeof(buf)); /* * Extract protocol. */ @@ -1482,7 +1482,7 @@ char* protoName; struct protoent *protoent; - strcpy (buf, parms); + strlcpy (buf, parms, sizeof(buf)); /* * Extract protocol. */ @@ -1536,7 +1536,7 @@ char* serverPool; struct alias_link *link; - strcpy (buf, parms); + strlcpy (buf, parms, sizeof(buf)); /* * Extract local address. */ >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301041856.h04Iuk4q003228>