Skip site navigation (1)Skip section navigation (2) 
Date:      20 Apr 2003 10:31:16 +0200
From:      Sebastian Ssmoller <sebastian.ssmoller@gmx.net>
To:        Kris Kennaway <kris@obsecurity.org>
Cc:        FreeBSD-audit <audit@freebsd.org>
Subject:   Re: Buffer overflow in disklabel
Message-ID:  <1050827478.2737.4.camel@hadriel>
In-Reply-To: <1050826585.2052.12.camel@hadriel>
References:  <20030420032303.GA25568@rot13.obsecurity.org>  <1050826585.2052.12.camel@hadriel>
next in thread | previous in thread | raw e-mail | index | archive | help 

--=-H9tP6Q3bHWKXcMQMUxyw
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

sorry. seem to have a problem with my email client :-( Hope the
attachment is now there...

seb

Am Son, 2003-04-20 um 10.16 schrieb Sebastian Ssmoller:
> Hi,
> I attached a patch for that problem. Can someone have a look at it?
> 
> But one thing is still unclear to me: Why do we need 8k buffer for the
> disk name? 
> 
> seb
> 
> Am Son, 2003-04-20 um 05.23 schrieb Kris Kennaway:
> > Run the following under /bin/sh (not tcsh, which - still! - has a bug
> > that causes the command to hang tcsh):
> > 
> > # disklabel `perl -e 'print "a"x51200'`
> > Segmentation fault (core dumped)
> > 
> > The responsible code is:
> > 
> >         dkname = argv[0];
> >         if (dkname[0] != '/') {
> >                 (void)sprintf(np, "%s%s%c", _PATH_DEV, dkname, 'a' + RAW_PART);
> >                 specname = np;
> >                 np += strlen(specname) + 1;
> >         } else
> >                 specname = dkname;
> >         f = open(specname, op == READ ? O_RDONLY : O_RDWR);
> >         if (f < 0 && errno == ENOENT && dkname[0] != '/') {
> >                 (void)sprintf(specname, "%s%s", _PATH_DEV, dkname);
> >                 np = namebuf + strlen(specname) + 1;
> >                 f = open(specname, op == READ ? O_RDONLY : O_RDWR);
> >         }
> > 
> > i.e. overflowing an 8k buffer.  Does anyone feel like fixing it?
> > 
> > Kris
> 
> ----
> 

> _______________________________________________
> freebsd-audit@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-audit
> To unsubscribe, send any mail to "freebsd-audit-unsubscribe@freebsd.org"



--=-H9tP6Q3bHWKXcMQMUxyw--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1050827478.2737.4.camel>