Re: Buffer overflow in bing

2001-01-23 Thread Kris Kennaway

On Fri, Jan 19, 2001 at 08:30:01PM +0100, Pierre Beyssac wrote:
> On Fri, Jan 19, 2001 at 06:52:27PM +0100, Paul Starzetz wrote:
> > The buffer overflowed is a 80 byte static local buffer:
> > static char buf[80];
> 
> It is patched by default in FreeBSD's package collection. Here's
> the patch below (author: [EMAIL PROTECTED]).

Actually, the patch was mine :-)


revision 1.1
date: 2000/03/05 05:30:54;  author: kris;  state: Exp;
This is a setuid root binary. sprintf()s of DNS hostnames into undersized
buffers are bad. Fix this. It should also drop privileges for extra
safety, but doesn't.
=

Kris

-- 
NOTE: To fetch an updated copy of my GPG key which has not expired,
finger [EMAIL PROTECTED]

 PGP signature


Re: Buffer overflow in bing

2001-01-22 Thread Pierre Beyssac

On Fri, Jan 19, 2001 at 06:52:27PM +0100, Paul Starzetz wrote:
> The buffer overflowed is a 80 byte static local buffer:
>   static char buf[80];

It is patched by default in FreeBSD's package collection. Here's
the patch below (author: [EMAIL PROTECTED]).

I have also issued a bugfix release including this patch, available
from http://www.freenix.org/reseau/bing-1.0.5.tar.gz

--- bing.c.orig Thu Jul 20 16:45:32 1995
+++ bing.c  Sat Mar  4 16:13:05 2000
@@ -718,13 +718,13 @@
u_long l;
 {
struct hostent *hp;
-   static char buf[80];
+   static char buf[MAXHOSTNAMELEN+19];

if ((options & F_NUMERIC) ||
!(hp = gethostbyaddr((char *)&l, 4, AF_INET)))
-   (void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l));
+   (void)snprintf(buf, sizeof(buf), "%s", inet_ntoa(*(struct in_addr 
+*)&l));
else
-   (void)sprintf(buf, "%s (%s)", hp->h_name,
+   (void)snprintf(buf, sizeof(buf), "%s (%s)", hp->h_name,
inet_ntoa(*(struct in_addr *)&l));
return(buf);
 }

--
Pierre Beyssac[EMAIL PROTECTED] [EMAIL PROTECTED]
  Linux : ceux qui n'adorent pas sont forcément des cons
Free domains: http://www.eu.org/ or mail [EMAIL PROTECTED]