Re: ELM overflow

Michel GAUDET (Michel.Gaudet@EHESS.FR)
Fri, 16 May 1997 13:31:05 +0200

On Wed, 14 May 1997 security@home.bti.pl wrote:

> On Tue, 13 May 1997, Wojciech Swieboda wrote:
>
> > Hello,
> > I've lately found an overflow vulnerability in Elm (Elm is setgid
> > mail on linux, and perhaps on some other platforms aswell). I've tested this
> > bug on versions 2.3 and 2.4, on 3 different Linux installations.
> > from Elm 2.3's curses.c:
> > [...]
> > char termname[40];
> > char *strcpy(), *getenv();
> >
> > if (getenv("TERM") == NULL) return(-1);
> >
> > if (strcpy(termname, getenv("TERM")) == NULL)
> > return(-1);
> > [...]
> > to patch, change the strcpy line to
> > if (strncpy(termname, getenv("TERM"), sizeof(termname)) == NULL)
> >
> To patch it on Elm 2.4, change:
>
> [...]
> if (strcpy(termname, termenv) == NULL)
> return (-1);
>
> to:
> [...]
> if (strncpy(termname, termenv, sizeof(termname)) == NULL)
> return (-1);
>
>
> -Grych
>

You must terminate the string with \0 because strncpy don't : the strncpy
copy at maximum n characters regardless, if length S2 >= n, of the
termination of the strings.

Then I think the exact change should be :

char termname[40];
char *strncpy(), *getenv();
....
termname[39] = '\0' ;
if (strncpy(termname, termenv, sizeof(termname) - 1) == NULL)
return (-1);

Regards.

--------------------------------------------------------------------------
| Michel GAUDET |
| Ecole des Hautes Etudes en Sciences Sociales. |
| 54 Boulevard RASPAIL 75006 PARIS (France) |
| FAX:(33) 01 49 54 26 85 Email: Michel.Gaudet@ehess.fr |
| Tel:(33) 01 49 54 25 91 |
--------------------------------------------------------------------------