bufferoverflow in client shipped with squid-2.5.STABLE1.tar.gz (latest) and below

[mr elite <woot_woot_root () yahoo co uk>]

Hello,
While testing various binarys on Redhat 8.0 i came
across a buffer overflow in the /usr/sbin/client
program that ships with squid. Redhat 8.0 ships with
squid-2.4.STABLE7-4.src.rpm i also looked at client.c
source for latest version which has same problem. The
problem is when suppling 8229 or more characters when
running /usr/sbin/client eg.
[fault@b0f fault]$ /usr/sbin/client `perl -e 'print
"A"x8229'`
Segmentation fault (core dumped)
[fault@b0f fault]$ 
after a quick look at code it seems to be overflowing
at the strcpy call.
<snips from code>

#define BUFSIZ 8192
 
char url[BUFSIZ], msg[BUFSIZ], buf[BUFSIZ];

 else if (argc >= 2) {
        strcpy(url, argv[argc - 1]);
        if (url[0] == '-')
            usage(argv[0]);

</snips from code>

FIX
-=-=-

- strcpy(url, argv[argc - 1]);

+ strncpy(url, argv[argc - 1], sizeof(BUFSIZ));

 NOT A SECURITY ISSUE , JUST ANOTHER DUMB SEGFAULT

EOF


Alan M 
(faulty)
www.b0f.net





---------------------------------
With Yahoo! Mail you can get a bigger mailbox -- choose a size that fits your needs