Package: netkit-base
Version: 0.10-10.3
Severity: normal

Hello,

recently I noticed the following bit of code in the source file
"rpc_cout.c" (near the end):

    static char *upcase(const char *str) {
        char *ptr, *hptr;
        ptr = malloc(strlen(str));
        if (ptr == NULL) {
            f_print(stderr,"malloc failed\n");
            exit(1);
        }
        hptr=ptr;
        while (*str != 0) {
            *ptr++ = toupper(*str++);
        }
        *ptr=0;
        return hptr;
    }

As you can see the malloc reserves enough memory to store the
uppercased string but not the trailing '\0'.  The statement '*ptr'
causes a buffer overflow, then.

I did not check whether this is exploitable in any way, but probably
this should be fixed anyway.

I hope this helps,
Jochen

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.13
Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to