Humm, it seems to me like there is a plain old buffer overflow in
connect_to_gserver(). hostinfo->h_name is taken directly from DNS (in
init_sockaddr()) which could be under control of remote host. Then it
is sprintf()'ed without length checking into buf[1024]. You get an
idea.
2001-06-13 Alexey Mahotkin <[EMAIL PROTECTED]>
* client.c: Fix incorrect fixed-size buffer usage in
connect_to_gserver().
--- client.c Tue Apr 24 22:14:53 2001
+++ client.c-new Wed Jun 13 21:41:49 2001
@@ -4189,13 +4189,15 @@
/* Connect to the server using GSSAPI authentication. */
+#define BUFSIZE 1024
+
static int
connect_to_gserver (sock, hostinfo)
int sock;
struct hostent *hostinfo;
{
char *str;
- char buf[1024];
+ char buf[BUFSIZE];
gss_buffer_desc *tok_in_ptr, tok_in, tok_out;
OM_uint32 stat_min, stat_maj;
gss_name_t server_name;
@@ -4205,7 +4207,7 @@
if (send (sock, str, strlen (str), 0) < 0)
error (1, 0, "cannot send: %s", SOCK_STRERROR (SOCK_ERRNO));
- sprintf (buf, "cvs@%s", hostinfo->h_name);
+ snprintf (buf, BUFSIZE, "cvs@%s", hostinfo->h_name);
tok_in.length = strlen (buf);
tok_in.value = buf;
gss_import_name (&stat_min, &tok_in, GSS_C_NT_HOSTBASED_SERVICE,
--alexm
_______________________________________________
Bug-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/bug-cvs
