Re: Buffer overflow in "lpr"

Warner Losh (imp@VILLAGE.ORG)
Tue, 08 Jul 1997 08:31:30 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mark Joseph Edwards: "Inside GetAdmin"
Previous message: Randal Schwartz: "Re: Vulnerability in websendmail"
Maybe in reply to: a42n8k9: "Buffer overflow in "lpr""
Next in thread: Andre ten Bohmer: "Re: Buffer overflow in "lpr""

In message <31DBF6DD.1A0E@redrose.net> a42n8k9 writes:
: If I'm not mistaken this should show if a vulnerability exists.
...
: static char *linked(register char *file) {
: register char *cp;
: static char buf[BUFSIZ];
: .
: .
: .
: strcat(buf, "/");
: -------------> strcat(buf, file);
: .
: .
: .
: }
:
: Perhaps a fix would be to use the line "strncat(buf, file, BUFSIZ)"
: but that would stop
: lpr from processing a file with a name greater than BUFSIZ characters.

strncat wouldn't do what you wanted in this case. It would append at
most BUFSIZ characters, rather than at most BUFSIZE-strlen(buf)
characters. Also, you need to '\0' terminate the buf after this
because str*cat doesn't do that for you.

Warner

Next message: Mark Joseph Edwards: "Inside GetAdmin"
Previous message: Randal Schwartz: "Re: Vulnerability in websendmail"
Maybe in reply to: a42n8k9: "Buffer overflow in "lpr""
Next in thread: Andre ten Bohmer: "Re: Buffer overflow in "lpr""