[3773] in bugtraq
Re: L0pht Advisory: modstat
daemon@ATHENA.MIT.EDU (Eivind Eklund)
Tue Dec 10 13:04:00 1996
Date: Tue, 10 Dec 1996 11:29:16 +0100
Reply-To: Eivind Eklund <eivind@dimaga.com>
From: Eivind Eklund <eivind@dimaga.com>
X-To: bugs@freebsd.org
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
> L0pht Security Advisory
> Advisory released Dec 9 1996
>
> Application: modstat
>
> Vulnerability Scope: systems with the *BSD
> distribution of modstat sgid kmem
>
> Author: mudge@l0pht.com
>
> The problem exists in the dostat() routine where an arbitrary sized string
> is shoved into sbuf.name through a strcpy().
Here is a patch for FreeBSD 2.1.6 (should be extremely similar on other BSD
4.4 derivates)
75,80c75,77
< if (modname != NULL) {
< strncpy(sbuf.name, modname, sizeof(sbuf.name));
< sbuf.name[sizeof(sbuf.name)-1] = 0; /* Ensure termination */
< } else {
< sbuf.name[0] = 0;
< }
---
> if (modname != NULL)
> strcpy(sbuf.name, modname);
>
This also fix a minor bug with an uninitialized printf() %s parameter if
passed a NULL modname.
--
Eivind Eklund gopher://nic.follonett.no:79/0eivind
Work: eivind@dimaga.com http://www.dimaga.com/
Home: perhaps@yes.no http://maybes.yes.no/perhaps/
All of the above is a product of either your or my imagination, and not
official.
