Date: Thu, 19 Jul 2001 10:52:40 -0700 (PDT) From: Matt Dillon <dillon@earth.backplane.com> To: Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= <silence@oksala.org> Cc: security@FreeBSD.ORG Subject: Re: [PATCH] Re: FreeBSD remote root exploit ? Message-ID: <200107191752.f6JHqer75736@earth.backplane.com> References: <5.1.0.14.0.20010719001357.03e22638@192.168.0.12> <014d01c11031$bdab5a10$2001a8c0@clitoris> <20010719201407.B61061@sunbay.com> <003701c11077$b3125400$0d00a8c0@alexus> <3B5718A0.2B650C9C@oksala.org>
next in thread | previous in thread | raw e-mail | index | archive | help
:go to /usr/src/crypto/telnet/telnetd
:and type
:shell~# patch -p < /where/is/the/file.patch
It isn't really safe code. If the data being formatted is large
r then the format argument you can overflow the buffer, and the
'ret' from vsnprintf() is the amount of data that would have been
output if the buffer had been large enough, not the amount of data
that was actually output. Also, size_t is unsigned, which means
if you overflow the buffer by one byte you are screwed.
There appear to be a number of places (mainly the DIAG code, but also
the ENCRYPT code) where this is true. This patch will fix the existing
options-based hole, but doesn't close it.
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107191752.f6JHqer75736>