Re: Possible weakness in LPD protocol

Oliver Friedrichs (oliver@SILENCE.SECNET.COM)
Fri, 03 Oct 1997 11:55:06 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Christopher Masto: "Re: Possible weakness in LPD protocol"
Previous message: Eivind Eklund: "Re: Possible weakness in LPD protocol"
Maybe in reply to: Bennett Samowich: "Possible weakness in LPD protocol"
Next in thread: Christopher Masto: "Re: Possible weakness in LPD protocol"

> On October 02 1997, Bennett Samowich wrote:
>
> 5.) Overflow at least one buffer from the network; this is just
> above the "print any file" part of recvjob.c:
>
> cp = line;
> do {
> if ((size = read(1, cp, 1)) != 1) {
> if (size < 0)
> frecverr("%s: Lost connection",printer);
> return(nfiles);
> }
> } while (*cp++ != '\n');

In this case "line" is a global variable in common_source/common.c so it
wouldn't be vulnerable to the standard stack overflow, however there are
some other interesting variables near it that look like they could be
manipulated to create undesired effects.

- Oliver

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Secure Networks Incorporated. Calgary, Alberta, Canada, (403) 262-9211

Next message: Christopher Masto: "Re: Possible weakness in LPD protocol"
Previous message: Eivind Eklund: "Re: Possible weakness in LPD protocol"
Maybe in reply to: Bennett Samowich: "Possible weakness in LPD protocol"
Next in thread: Christopher Masto: "Re: Possible weakness in LPD protocol"