Re: rwhod buffer overflow

[stuart () cs adelaide edu au (Stuart Beck)]

It seems that David J. Meltzer wrote ...
> There is a remote buffer overflow in the path variable in rwhod.c in the
> line: (void) sprintf(path, "whod.%s", wd.wd_hostname);
[snip]
> I would suggest prior to the sprintf line you add something to the effect:
> if(strlen(wd.wd_hostname) >= sizeof(wd.wd_hostname)) {
>  syslog(LOG_WARNING, "possible hostname overflow attack apparently from %x",
>         from.sin_addr);
>  continue;
>  }

This sprintf is called at the time when rwhod is processing the packet.

Prior to this line the function verify(wd.wd_hostname) is called
checking that the hostname is valid i.e. must contain ascii, alphanum,
or punctuation characters.  If a "bad" name is found this function returns
0 otherwise it returns the value (size > 0).

I would suggest that a better check would be to have the verify function
return 0 causing the information to be dropped (and/or complain if you so
desire) if the name is overlength.

SAb.

-----------------------------------------------------
Stuart Allan Beck           stuart () cs adelaide edu au
Systems manager
Computer science dept.             Tel: (08)-303-4485
Adelaide University                Fax: (08)-303-4366
-----------------------------------------------------