[4862] in bugtraq
Re: Buffer overflow in "lpr"
daemon@ATHENA.MIT.EDU (Warner Losh)
Tue Jul 8 11:24:36 1997
Date: Tue, 8 Jul 1997 08:31:30 -0600
Reply-To: Warner Losh <imp@VILLAGE.ORG>
From: Warner Losh <imp@VILLAGE.ORG>
X-To: a42n8k9 <a42n8k9@REDROSE.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Thu, 04 Jul 1996 12:52:45 EDT."
<31DBF6DD.1A0E@redrose.net>
In message <31DBF6DD.1A0E@redrose.net> a42n8k9 writes:
: If I'm not mistaken this should show if a vulnerability exists.
...
: static char *linked(register char *file) {
: register char *cp;
: static char buf[BUFSIZ];
: .
: .
: .
: strcat(buf, "/");
: -------------> strcat(buf, file);
: .
: .
: .
: }
:
: Perhaps a fix would be to use the line "strncat(buf, file, BUFSIZ)"
: but that would stop
: lpr from processing a file with a name greater than BUFSIZ characters.
strncat wouldn't do what you wanted in this case. It would append at
most BUFSIZ characters, rather than at most BUFSIZE-strlen(buf)
characters. Also, you need to '\0' terminate the buf after this
because str*cat doesn't do that for you.
Warner
