OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: buffer overflow in libsecure (NSA Security-enhanced Linux)
From: Perry Harrington (pedwardWEBCOM.COM)
Date: Wed Dec 27 2000 - 17:35:28 CST

From your message, it would appear that the file parser is at fault, not
truncating the newline in the value. If the newline is removed, like most
config file parsers, then the allocation logic is correct.

--Perry

> value of buf would be "sysadm_r:sysadm_t\n". There are no leading
>
> (*type) = (char*) malloc (sizeof(char) * (strlen(buf)-i-len-1));
>
> the argument to malloc is 18 - 0 - 8 - 1, which is 9. Then,
>
> strcpy ((*type), &buf[i]+len+1);
>
> attempts to copy the 10 characters "sysadm_t\n\0" into the 9-character
> buffer.
>
> This patch should address the issue:
>
> *** get_default_type.c.old Thu Nov 30 11:32:58 2000
> --- get_default_type.c Tue Dec 26 00:19:04 2000
> ***************
> *** 72,74 ****
> /* malloc space for the type */
> ! (*type) = (char*) malloc (sizeof(char) * (strlen(buf)-i-len-1));
> if ((*type) == NULL)
> --- 72,74 ----
> /* malloc space for the type */
> ! (*type) = (char*) malloc (sizeof(char) * (strlen(buf)-i-len));
> if ((*type) == NULL)
>
>
> Matt Power
> BindView Corporation, RAZOR Team
> mhpowerbos.bindview.com 

-- 
Perry Harrington                 Director of                   zelur xuniL  ()
perrywebcom.com             System Architecture               Think Blue.  /\
  • application/pgp-signature attachment: stored