[5343] in bugtraq
Re: Possible weakness in LPD protocol
daemon@ATHENA.MIT.EDU (Oliver Friedrichs)
Fri Oct 3 19:42:17 1997
Date: Fri, 3 Oct 1997 11:55:06 -0600
Reply-To: Oliver Friedrichs <oliver@SILENCE.SECNET.COM>
From: Oliver Friedrichs <oliver@SILENCE.SECNET.COM>
X-To: Thomas Roessler <roessler@GUUG.DE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSI.3.96.971003114221.6664A-100000@silence.secnet.com>
> On October 02 1997, Bennett Samowich wrote:
>
> 5.) Overflow at least one buffer from the network; this is just
> above the "print any file" part of recvjob.c:
>
> cp = line;
> do {
> if ((size = read(1, cp, 1)) != 1) {
> if (size < 0)
> frecverr("%s: Lost connection",printer);
> return(nfiles);
> }
> } while (*cp++ != '\n');
In this case "line" is a global variable in common_source/common.c so it
wouldn't be vulnerable to the standard stack overflow, however there are
some other interesting variables near it that look like they could be
manipulated to create undesired effects.
- Oliver
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Secure Networks Incorporated. Calgary, Alberta, Canada, (403) 262-9211
