Bugs item #1620701, was opened at 2006-12-22 11:50 Message generated for change (Comment added) made by bogdan_iancu You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1620701&group_id=139143
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: modules Group: None >Status: Closed Resolution: Fixed Priority: 5 Private: No Submitted By: Bastian Friedrich (bastian) Assigned to: Bogdan (bogdan_iancu) Summary: Buffer overflow by long lines in permissions Initial Comment: Hi, today a bug in OpenSER was reported on bugtraq (not found by me!): http://www.securityfocus.com/archive/1/455097/30/0/threaded String lengths are not properly checked in parse_expression_list (modules/permissions/parse_config.c) while copying from input variable str (up to 500 chars) to str2 (up to 100 chars). I can reproduce the problem by using a line like ALLLLLLL (500 L's) : ALLLLLLL (another 500 L's) in a permission file. As the configuration file is under administrative control, no security breach is directly implied. Best, Bastian ---------------------------------------------------------------------- >Comment By: Bogdan (bogdan_iancu) Date: 2007-01-05 13:32 Message: Logged In: YES user_id=1275325 Originator: NO ok - perfect. the fix was also backported to the stable version (1.1.0) regards, bogdan ---------------------------------------------------------------------- Comment By: Bastian Friedrich (bastian) Date: 2007-01-05 13:19 Message: Logged In: YES user_id=34841 Originator: YES Hi Bogdan, thx for your new patches. They seem to do the trick now :) Regards, Bastian ---------------------------------------------------------------------- Comment By: Bogdan (bogdan_iancu) Date: 2007-01-04 21:04 Message: Logged In: YES user_id=1275325 Originator: NO Hi Bastian, I run more tests and I found a bug in matching the "ALL" keyword - all string starting with "ALL" were matching :(..... So, if you were using the ALLLLL (250 L), it will never try to parse as list as the string was considered "ALL".... try now....at least it works for me. thanks and regards, bogdan ---------------------------------------------------------------------- Comment By: Bastian Friedrich (bastian) Date: 2007-01-04 20:28 Message: Logged In: YES user_id=34841 Originator: YES Hi Bogdan, looks good (although I wonder why I'm not able to trigger the "Expression too long" warning...?! :) Thx, Bastian ---------------------------------------------------------------------- Comment By: Bogdan (bogdan_iancu) Date: 2007-01-04 19:45 Message: Logged In: YES user_id=1275325 Originator: NO Hi Bastian, I have just committed a patch for fixing this problem. Could you please give it a try to see if it works? if everything ok, I will make a backport to 1.1.0. thanks and regards, bogdan ---------------------------------------------------------------------- Comment By: Bogdan (bogdan_iancu) Date: 2006-12-22 13:35 Message: Logged In: YES user_id=1275325 Originator: NO Hi Bastian, actually is more than this - there are also no check when copying from file to the line buffer (500 chars max). Looks like there is a lot of work to be done there. Thanks for report - we will take care of it. regards, bogdan ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1620701&group_id=139143 _______________________________________________ Devel mailing list [email protected] http://openser.org/cgi-bin/mailman/listinfo/devel
