Bug Tracker item #2933329, was opened at 2010-01-16 11:10
Message generated for change (Tracker Item Submitted) made by ensc
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1126467&aid=2933329&group_id=250683

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: daemon
Group: v3.9.0
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Enrico Scholz (ensc)
Assigned to: Nobody/Anonymous (nobody)
Summary: Possible overflow in 'program' ExtLookup

Initial Comment:
program_lookup() contains code like

char **args = malloc (1024);
...
for (i = 0, str = command_line; ; i++, str = NULL) {
       token = strtok_r(str, " ", &saveptr);
       ...
       args[i] = token;


When passing a crafted username with spaces (e.g. 'f o o b a r') this 
assignment might overflow. E.g. in 64 bit archs, args[] has place for 128 
elements only.

Even when adding range checks (and tests whether the malloc() failed ;) ), 
operation won't behave as expected.  E.g. instead of calling

<program> 'f o o b a r'

the program will be called as

<program> 'f' 'o' 'o' 'b' 'a' 'r'

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1126467&aid=2933329&group_id=250683

------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Dspam-devel mailing list
Dspam-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspam-devel

Reply via email to