[4369] in bugtraq
Re: CPSN 4-970424: Possible buffer overflow in pop3d
daemon@ATHENA.MIT.EDU (J. Joseph Max Katz)
Tue Apr 29 00:12:57 1997
Date: Mon, 28 Apr 1997 09:17:11 -0500
Reply-To: "J. Joseph Max Katz" <jkatz@CORINNE.MAC.EDU>
From: "J. Joseph Max Katz" <jkatz@CORINNE.MAC.EDU>
X-To: Derric Scott <dtscott@scott.net>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199704280333.WAA29912@koala.scott.net>
On Sun, 27 Apr 1997, Derric Scott wrote:
> While I don't profess to be the keeper of BSD POP3d, I have made recent
> changes and made them available. So.... I took a very quick look and
> changed that "offending" strcpy to a strncpy. I'll soon put 1.005f
> up on: ftp://ftp.scott.net/pub/linux/mail
Thank you for the quick response.
> Is this security notice based on an exploit or is it just from examination
> of the code. My cursory glance indicates that there is no real threat from
> that strcpy because the length of the input has already been checked before
Only upon examination-- I only looked at the code, saw
(strcpy(static_array,char *) and gasped-- and made the release. It looks
as if, within function svr_auth it only gets the input from a 128
character array, then later, subtracts the first four characters out
(deciding if it is USER or PASS or whatever) and then puts that into a
pointer when a different function is called, and then strcpy's it.
> FUNCTION: svr_auth(state,inbuf), has the "offending" line:
> strcpy(cli_user,inbuf);
> BUT: svr_auth is called from MAIN with:
> svr_state = svr_auth(svr_state,cli_buf);
> where cli_buf is read previously from stdin with:
> if (fgetl(cli_buf,CLI_BUFSIZ,stdin) == NULL)
