Bugtraq mailing list archives
Re: rwhod buffer overflow
From: stuart () cs adelaide edu au (Stuart Beck)
Date: Thu, 22 Aug 1996 12:54:29 +0930
It seems that David J. Meltzer wrote ...
There is a remote buffer overflow in the path variable in rwhod.c in the line: (void) sprintf(path, "whod.%s", wd.wd_hostname);
[snip]
I would suggest prior to the sprintf line you add something to the effect: if(strlen(wd.wd_hostname) >= sizeof(wd.wd_hostname)) { syslog(LOG_WARNING, "possible hostname overflow attack apparently from %x", from.sin_addr); continue; }
This sprintf is called at the time when rwhod is processing the packet. Prior to this line the function verify(wd.wd_hostname) is called checking that the hostname is valid i.e. must contain ascii, alphanum, or punctuation characters. If a "bad" name is found this function returns 0 otherwise it returns the value (size > 0). I would suggest that a better check would be to have the verify function return 0 causing the information to be dropped (and/or complain if you so desire) if the name is overlength. SAb. ----------------------------------------------------- Stuart Allan Beck stuart () cs adelaide edu au Systems manager Computer science dept. Tel: (08)-303-4485 Adelaide University Fax: (08)-303-4366 -----------------------------------------------------
Current thread:
- rwhod buffer overflow David J. Meltzer (Aug 21)
- <Possible follow-ups>
- Re: rwhod buffer overflow David Holland (Aug 21)
- Re: rwhod buffer overflow Stuart Beck (Aug 21)