Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1997_3

Bugtraq archives for 3rd quarter (Jul-Sep) 1997: Re: Buffer overflow in "lpr"

Re: Buffer overflow in "lpr"

Warner Losh (impVILLAGE.ORG)
Tue, 8 Jul 1997 08:31:30 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: SGI Security Coordinator: "SGI Security Advisory 19970502-02-PX - xlock Vulnerability"
Previous message: Randal Schwartz: "Re: Vulnerability in websendmail"
In reply to: a42n8k9: "Buffer overflow in "lpr""
Next in thread: Casper Dik: "Re: Buffer overflow in "lpr""

In message <31DBF6DD.1A0Eredrose.net> a42n8k9 writes:
: If I'm not mistaken this should show if a vulnerability exists.
...
:         static char *linked(register char *file) {
:                 register char *cp;
:                 static char buf[BUFSIZ];
:                 .
:                 .
:                 .
:                 strcat(buf, "/");
: ------------->  strcat(buf, file);
:                 .
:                 .
:                 .
:         }
:
: Perhaps a fix would be to use the line  "strncat(buf, file, BUFSIZ)"
: but that would stop
: lpr from processing a file with a name greater than BUFSIZ characters.

strncat wouldn't do what you wanted in this case.  It would append at
most BUFSIZ characters, rather than at most BUFSIZE-strlen(buf)
characters.  Also, you need to '\0' terminate the buf after this
because str*cat doesn't do that for you.

Warner

Next message: SGI Security Coordinator: "SGI Security Advisory 19970502-02-PX - xlock Vulnerability"
Previous message: Randal Schwartz: "Re: Vulnerability in websendmail"
In reply to: a42n8k9: "Buffer overflow in "lpr""
Next in thread: Casper Dik: "Re: Buffer overflow in "lpr""