[3247] in bugtraq
Re: rwhod buffer overflow
daemon@ATHENA.MIT.EDU (Stuart Beck)
Thu Aug 22 03:28:32 1996
Date: Thu, 22 Aug 1996 12:54:29 +0930
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Stuart Beck <stuart@cs.adelaide.edu.au>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
It seems that David J. Meltzer wrote ...
>There is a remote buffer overflow in the path variable in rwhod.c in the
>line: (void) sprintf(path, "whod.%s", wd.wd_hostname);
[snip]
>
>I would suggest prior to the sprintf line you add something to the effect:
>if(strlen(wd.wd_hostname) >= sizeof(wd.wd_hostname)) {
> syslog(LOG_WARNING, "possible hostname overflow attack apparently from %x",
> from.sin_addr);
> continue;
> }
>
This sprintf is called at the time when rwhod is processing the packet.
Prior to this line the function verify(wd.wd_hostname) is called
checking that the hostname is valid i.e. must contain ascii, alphanum,
or punctuation characters. If a "bad" name is found this function returns
0 otherwise it returns the value (size > 0).
I would suggest that a better check would be to have the verify function
return 0 causing the information to be dropped (and/or complain if you so
desire) if the name is overlength.
SAb.
-----------------------------------------------------
Stuart Allan Beck stuart@cs.adelaide.edu.au
Systems manager
Computer science dept. Tel: (08)-303-4485
Adelaide University Fax: (08)-303-4366
-----------------------------------------------------
