Date: Mon, 12 Mar 2001 18:00:40 -0500 (EST) From: mi@aldan.algebra.com To: Kris Kennaway <kris@obsecurity.org> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/net/scotty3 Makefile pkg-plist ports/net/scot ty3/files patch-fixes scotty.c patch-ac patch-ad Message-ID: <200103122300.f2CN0gC10349@misha.privatelabs.com> In-Reply-To: <20010312143824.B86831@mollari.cthul.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
= As I recall, there are a
= number of buffer overflows in command-line arguments of setugid programs:
= <command> [-flag] `perl -e 'print "a"x5000'`
Well, your note in the Makefile is:
FORBIDDEN="Buffer overflow in ntping yielding setuid root"
Ntping's argument parsing is fairly straightforward, and the space for
the arguments is malloc-ed before writing:
[...]
else
{ /* any other arg is copied and scanned later: */
int len = strlen (*argv);
if (! cmdbuflen)
cmd = xmalloc (cmdbuflen = len + 5);
else if (len + cmdlen >= cmdbuflen)
cmd = xrealloc (cmd, cmdbuflen = cmdlen + len + 5);
sprintf (cmd + cmdlen, "%s%s", cmdlen ? " " : "", *argv);
cmdlen += len + (cmdlen > 0);
}
[...]
My eyes are not as trained as yours, of course, but I think, it will
simply crash if the malloc/realloc fail, but that's it... Could you,
please, clarify? Thanks,
-mi
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103122300.f2CN0gC10349>