Package: netkit-base
Version: 0.10-10.3
Severity: normal
Hello,
recently I noticed the following bit of code in the source file
"rpc_cout.c" (near the end):
static char *upcase(const char *str) {
char *ptr, *hptr;
ptr = malloc(strlen(str));
if (ptr == NULL) {
f_print(stderr,"malloc failed\n");
exit(1);
}
hptr=ptr;
while (*str != 0) {
*ptr++ = toupper(*str++);
}
*ptr=0;
return hptr;
}
As you can see the malloc reserves enough memory to store the
uppercased string but not the trailing '\0'. The statement '*ptr'
causes a buffer overflow, then.
I did not check whether this is exploitable in any way, but probably
this should be fixed anyway.
I hope this helps,
Jochen
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.13
Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]