Bugtraq mailing list archives
Re: xlock mishandles malformed .signature/.plan
From: aaron () UG CS DAL CA (Aaron Campbell)
Date: Sat, 7 Nov 1998 12:17:54 -0400
On Fri, 6 Nov 1998, Jochen Thomas Bauer wrote:
The local variable "char *home", that will be filled with a pointer to a string containing the path to the user's home directory, is declared right after the local varibale "char buf[121]", so this pointer will be located right above the space left for "char buf[121]" on the stack (remember, the stack grows to
You've made a pretty bold assumption here on what order the compiler will decide the local variables should live on the stack. In particular, any optimization options passed to gcc will often rearrange the positions of the automatic variables. At any rate, this was pointed out in a Bugtraq posting from gut () cdc net dated May 31st, 1998: http://geek-girl.com/bugtraq/1998_2/0446.html
cr = strlen(buf) - 1; if (buf[cr] == '\n') { buf[cr] = '\0'; } So buf[-1] must have a value of buf[-1]=10 in order to get overwritten by NULL.
Wrong. Look further down the code; there is another buf[cr] = '\0'; statement that most certainly will be executed regardless.
The pointer "char *home" has at this point already been used to construct the full path to the .plan, .signature or .xlocktext file, and the result has already been written to a buffer pointed to by "char *buffer".
And if the author adds code at a later time which uses the *home pointer, he may have blindly created a way to modify data at God-knows-where in memory.
So, IMHO, there is no security hole created by this bug.
Either way, this really isn't an issue. One bug might not look harmful, but often multiple bugs together can be. Programming flaws appearing innocent now may turn out to help create gaping security holes later. . _ _ _ _ . . _ _ . . _ _ _ . . : |-||-||<|_||\| |_|-||\/||-'|->|_-|_|_ DalTech, Halifax, NS, Canada `---------------------------------------- [http://www.biodome.org/~fx] -
Current thread:
- Re: xlock mishandles malformed .signature/.plan Jochen Thomas Bauer (Nov 06)
- Re: xlock mishandles malformed .signature/.plan Aaron Campbell (Nov 07)
- shadow problems. twiztah (Nov 08)
- tcpd -DPARANOID doesn't work, and never did D. J. Bernstein (Nov 08)
- Re: tcpd -DPARANOID doesn't work, and never did Warner Losh (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did Peter Wemm (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did Wietse Venema (Nov 10)
- Re: tcpd -DPARANOID doesn't work, and never did Warner Losh (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did Wietse Venema (Nov 09)
- Re: tcpd -DPARANOID doesn't work, and never did Chip Christian (Nov 10)
- <Possible follow-ups>
- Re: xlock mishandles malformed .signature/.plan tschweik () FIDUCIA DE (Nov 09)
- Re: xlock mishandles malformed .signature/.plan tschweik () FIDUCIA DE (Nov 11)