Buffer overflow in uucpd.c/do

bug-inetutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Buffer overflow in uucpd.c/do_login()

From:	Tim Rühsen
Subject:	Buffer overflow in uucpd.c/do_login()
Date:	Sun, 16 Feb 2020 20:12:26 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2

L411-L414:
      strcpy (line, remotehost);
      SCPYN (ll.ll_line, line);
      SCPYN (ll.ll_host, remotehost);
      write (f, (char *) &ll, sizeof (ll));

'remotehost' is either 64 bytes or 1025 (depends on the code paths
protected by #ifdef). 'line' is only 32 bytes. I have no idea about L411
- if it's an accident or on (what ?) purpose.

Apart from that, the two calls to SCPYN() *may* not 0-terminate the
strings ll.ll_line and ll.ll_host in every case (if line or remotehost
have lengths >= the destination).

A few lines above:
# define SCPYN(a, b)    strncpy(a, b, sizeof (a))


Regards, Tim

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

Buffer overflow in uucpd.c/do_login(), Tim Rühsen <=

Prev by Date: [PATCH] rcp: Remove unused variable
Next by Date: [PATCH 1/2] ping: Fix memleak in ping_set_packetsize
Previous by thread: [PATCH] rcp: Remove unused variable
Next by thread: [PATCH 1/2] ping: Fix memleak in ping_set_packetsize
Index(es):
- Date
- Thread