Bug Tracker item #2933329, was opened at 2010-01-16 11:10 Message generated for change (Tracker Item Submitted) made by ensc You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=1126467&aid=2933329&group_id=250683
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: daemon Group: v3.9.0 Status: Open Resolution: None Priority: 5 Private: No Submitted By: Enrico Scholz (ensc) Assigned to: Nobody/Anonymous (nobody) Summary: Possible overflow in 'program' ExtLookup Initial Comment: program_lookup() contains code like char **args = malloc (1024); ... for (i = 0, str = command_line; ; i++, str = NULL) { token = strtok_r(str, " ", &saveptr); ... args[i] = token; When passing a crafted username with spaces (e.g. 'f o o b a r') this assignment might overflow. E.g. in 64 bit archs, args[] has place for 128 elements only. Even when adding range checks (and tests whether the malloc() failed ;) ), operation won't behave as expected. E.g. instead of calling <program> 'f o o b a r' the program will be called as <program> 'f' 'o' 'o' 'b' 'a' 'r' ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=1126467&aid=2933329&group_id=250683 ------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev _______________________________________________ Dspam-devel mailing list Dspam-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspam-devel