Bugs item #1620701, was opened at 2006-12-22 10:50 Message generated for change (Comment added) made by bastian You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1620701&group_id=139143
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: modules Group: None Status: Open Resolution: Fixed Priority: 5 Private: No Submitted By: Bastian Friedrich (bastian) Assigned to: Bogdan (bogdan_iancu) Summary: Buffer overflow by long lines in permissions Initial Comment: Hi, today a bug in OpenSER was reported on bugtraq (not found by me!): http://www.securityfocus.com/archive/1/455097/30/0/threaded String lengths are not properly checked in parse_expression_list (modules/permissions/parse_config.c) while copying from input variable str (up to 500 chars) to str2 (up to 100 chars). I can reproduce the problem by using a line like ALLLLLLL (500 L's) : ALLLLLLL (another 500 L's) in a permission file. As the configuration file is under administrative control, no security breach is directly implied. Best, Bastian ---------------------------------------------------------------------- >Comment By: Bastian Friedrich (bastian) Date: 2007-01-04 19:28 Message: Logged In: YES user_id=34841 Originator: YES Hi Bogdan, looks good (although I wonder why I'm not able to trigger the "Expression too long" warning...?! :) Thx, Bastian ---------------------------------------------------------------------- Comment By: Bogdan (bogdan_iancu) Date: 2007-01-04 18:45 Message: Logged In: YES user_id=1275325 Originator: NO Hi Bastian, I have just committed a patch for fixing this problem. Could you please give it a try to see if it works? if everything ok, I will make a backport to 1.1.0. thanks and regards, bogdan ---------------------------------------------------------------------- Comment By: Bogdan (bogdan_iancu) Date: 2006-12-22 12:35 Message: Logged In: YES user_id=1275325 Originator: NO Hi Bastian, actually is more than this - there are also no check when copying from file to the line buffer (500 chars max). Looks like there is a lot of work to be done there. Thanks for report - we will take care of it. regards, bogdan ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1620701&group_id=139143 _______________________________________________ Devel mailing list [email protected] http://openser.org/cgi-bin/mailman/listinfo/devel
