[4485] in bugtraq
Re: ELM overflow
daemon@ATHENA.MIT.EDU (Michel GAUDET)
Fri May 16 14:05:25 1997
Date: Fri, 16 May 1997 13:31:05 +0200
Reply-To: Michel GAUDET <Michel.Gaudet@EHESS.FR>
From: Michel GAUDET <Michel.Gaudet@EHESS.FR>
X-To: security@home.bti.pl
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.93.970514130944.25517C-100000@home.bti.pl>
On Wed, 14 May 1997 security@home.bti.pl wrote:
> On Tue, 13 May 1997, Wojciech Swieboda wrote:
>
> > Hello,
> > I've lately found an overflow vulnerability in Elm (Elm is setgid
> > mail on linux, and perhaps on some other platforms aswell). I've tested this
> > bug on versions 2.3 and 2.4, on 3 different Linux installations.
> > from Elm 2.3's curses.c:
> > [...]
> > char termname[40];
> > char *strcpy(), *getenv();
> >
> > if (getenv("TERM") == NULL) return(-1);
> >
> > if (strcpy(termname, getenv("TERM")) == NULL)
> > return(-1);
> > [...]
> > to patch, change the strcpy line to
> > if (strncpy(termname, getenv("TERM"), sizeof(termname)) == NULL)
> >
> To patch it on Elm 2.4, change:
>
> [...]
> if (strcpy(termname, termenv) == NULL)
> return (-1);
>
> to:
> [...]
> if (strncpy(termname, termenv, sizeof(termname)) == NULL)
> return (-1);
>
>
> -Grych
>
You must terminate the string with \0 because strncpy don't : the strncpy
copy at maximum n characters regardless, if length S2 >= n, of the
termination of the strings.
Then I think the exact change should be :
char termname[40];
char *strncpy(), *getenv();
....
termname[39] = '\0' ;
if (strncpy(termname, termenv, sizeof(termname) - 1) == NULL)
return (-1);
Regards.
--------------------------------------------------------------------------
| Michel GAUDET |
| Ecole des Hautes Etudes en Sciences Sociales. |
| 54 Boulevard RASPAIL 75006 PARIS (France) |
| FAX:(33) 01 49 54 26 85 Email: Michel.Gaudet@ehess.fr |
| Tel:(33) 01 49 54 25 91 |
--------------------------------------------------------------------------
