Re: Possible weakness in LPD protocol
Oliver Friedrichs (oliver@SILENCE.SECNET.COM)
Fri, 03 Oct 1997 11:55:06 -0600
> On October 02 1997, Bennett Samowich wrote:
>
> 5.) Overflow at least one buffer from the network; this is just
> above the "print any file" part of recvjob.c:
>
> cp = line;
> do {
> if ((size = read(1, cp, 1)) != 1) {
> if (size < 0)
> frecverr("%s: Lost connection",printer);
> return(nfiles);
> }
> } while (*cp++ != '\n');
In this case "line" is a global variable in common_source/common.c so it
wouldn't be vulnerable to the standard stack overflow, however there are
some other interesting variables near it that look like they could be
manipulated to create undesired effects.
- Oliver
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Secure Networks Incorporated. Calgary, Alberta, Canada, (403) 262-9211