Re: Possible weakness in LPD protocol

[Doug.Hughes () ENG AUBURN EDU (Doug Hughes)]

Thomas Roessler wrote:
> On October 02 1997, Bennett Samowich wrote:
>
> > 1.) Obtaining hard (or possibly soft) copies of any file on the system.
> > 2.) Deleting any file on the system.
> > 3.) Creating a file on the system.
> > 4.) Mail bombing.
>
> 5.) Overflow at least one buffer from the network; this is just
> above the "print any file" part of recvjob.c:
>
>                cp = line;
>                do {
>                        if ((size = read(1, cp, 1)) != 1) {
>                                if (size < 0)
>                                        frecverr("%s: Lost connection",printer);
>                                return(nfiles);
>                        }
>                } while (*cp++ != '\n');
>
>
> Consequences aren't really obvious, but you may be able to do
> nasty things.
>
> Will we ever get rid of gets()?  (lpd source tree is from some
> recent RedHat distribution.)


Here's another one from common_source/common.c
    while ((c = getc(cfp)) != '\n') {
        if (c == EOF)
            return(0);
        if (c == '\t') {
            do {
                *lp++ = ' ';
                linel++;
            } while ((linel & 07) != 0);
            continue;
        }
        *lp++ = c;
        linel++;
    }
    *lp++ = '\0';
    return(linel);


A fix would appear to be to make the while like this:
    while ((c = getc(cfp)) != '\n' && linel < BUFSIZ-8) {

Why BUFSIZ-8?
leave space for tab expansion in inner do loop. It still should be
a plenty long enough buffer. Or, add another check for linel in
inner do loop.

-
____________________________________________________________________________
Doug Hughes                                     Engineering Network Services
System/Net Admin                                Auburn University
                        doug () eng auburn edu