Date: Mon, 12 Mar 2001 18:00:40 -0500 (EST) From: mi@aldan.algebra.com To: Kris Kennaway <kris@obsecurity.org> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/net/scotty3 Makefile pkg-plist ports/net/scot ty3/files patch-fixes scotty.c patch-ac patch-ad Message-ID: <200103122300.f2CN0gC10349@misha.privatelabs.com> In-Reply-To: <20010312143824.B86831@mollari.cthul.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
= As I recall, there are a = number of buffer overflows in command-line arguments of setugid programs: = <command> [-flag] `perl -e 'print "a"x5000'` Well, your note in the Makefile is: FORBIDDEN="Buffer overflow in ntping yielding setuid root" Ntping's argument parsing is fairly straightforward, and the space for the arguments is malloc-ed before writing: [...] else { /* any other arg is copied and scanned later: */ int len = strlen (*argv); if (! cmdbuflen) cmd = xmalloc (cmdbuflen = len + 5); else if (len + cmdlen >= cmdbuflen) cmd = xrealloc (cmd, cmdbuflen = cmdlen + len + 5); sprintf (cmd + cmdlen, "%s%s", cmdlen ? " " : "", *argv); cmdlen += len + (cmdlen > 0); } [...] My eyes are not as trained as yours, of course, but I think, it will simply crash if the malloc/realloc fail, but that's it... Could you, please, clarify? Thanks, -mi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103122300.f2CN0gC10349>