[5357] in bugtraq
Re: Possible weakness in LPD protocol
daemon@ATHENA.MIT.EDU (Doug Hughes)
Sun Oct 5 15:02:06 1997
Date: Sun, 5 Oct 1997 11:45:17 -0500
Reply-To: Doug Hughes <Doug.Hughes@ENG.AUBURN.EDU>
From: Doug Hughes <Doug.Hughes@ENG.AUBURN.EDU>
To: BUGTRAQ@NETSPACE.ORG
Thomas Roessler wrote:
>
>On October 02 1997, Bennett Samowich wrote:
>
>> 1.) Obtaining hard (or possibly soft) copies of any file on the system.
>> 2.) Deleting any file on the system.
>> 3.) Creating a file on the system.
>> 4.) Mail bombing.
>
>5.) Overflow at least one buffer from the network; this is just
>above the "print any file" part of recvjob.c:
>
> cp = line;
> do {
> if ((size = read(1, cp, 1)) != 1) {
> if (size < 0)
> frecverr("%s: Lost connection",printer);
> return(nfiles);
> }
> } while (*cp++ != '\n');
>
>
>Consequences aren't really obvious, but you may be able to do
>nasty things.
>
>Will we ever get rid of gets()? (lpd source tree is from some
>recent RedHat distribution.)
Here's another one from common_source/common.c
while ((c = getc(cfp)) != '\n') {
if (c == EOF)
return(0);
if (c == '\t') {
do {
*lp++ = ' ';
linel++;
} while ((linel & 07) != 0);
continue;
}
*lp++ = c;
linel++;
}
*lp++ = '\0';
return(linel);
A fix would appear to be to make the while like this:
while ((c = getc(cfp)) != '\n' && linel < BUFSIZ-8) {
Why BUFSIZ-8?
leave space for tab expansion in inner do loop. It still should be
a plenty long enough buffer. Or, add another check for linel in
inner do loop.
-
____________________________________________________________________________
Doug Hughes Engineering Network Services
System/Net Admin Auburn University
doug@eng.auburn.edu
