[6663] in bugtraq
Re: TOG and xterm problem
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@VT.EDU)
Mon May 4 11:42:21 1998
Date: Mon, 4 May 1998 10:31:04 -0400
Reply-To: Valdis.Kletnieks@VT.EDU
From: Valdis.Kletnieks@VT.EDU
X-To: peak@kerberos.troja.mff.cuni.cz
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 04 May 1998 11:06:05 +0200."
<Pine.LNX.3.95.980504105231.21557F-100000@kerberos.troja.mff.cuni.cz>
--==_Exmh_-15157014P
Content-Type: text/plain; charset=us-ascii
On Mon, 04 May 1998 11:06:05 +0200, you said:
> xc/programs/xterm/charproc.c:
> * HandleKeymapChange():
>
> (void) sprintf( mapName, "%sKeymap", params[0] );
> (void) strcpy( mapClass, mapName );
>
> (actually, the second command is mostly harmless because the size of
> mapName and mapClass is the same)
Actually, not necessarily. It's "mostly harmless" if in addition to the
sizes being the same, you can "prove" in the program-correctness sense
that the source will be null-terminated at the appropriate place.
Think. if they just overflowed mapName via sprintf, then they can ALSO
overflow mapClass. And it's quite possible that mapClass is the array
that you need to overflow to create the exploit (mapName possibly being
at an inconvenient location in memory...)
This of course as just a "general guideline" - an actual examination of
the source is required. I'm just pointing out that "they're the same size"
is not always enough....
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
--==_Exmh_-15157014P
Content-Type: application/pgp-signature
-----BEGIN PGP MESSAGE-----
Version: 2.6.2
iQCVAwUBNU3RJ9QBOOoptg9JAQGqEAP/dIjBJQ2ID9S3KMK7pQfmgTqXoyzcfBl9
uOAIWIxax2m0nvvJKQ2gVoHPKvpygbQyb7AqlSBC/+uXP5aGvU1Qo3lnECCj8WmU
iG54syYzalg5vuXIM0tngSLTWB3GoiV8UBOrsMcHvhf1QmJ61JxX6S4ZGxi4yHFn
woZXJrYjlT8=
=dQ2I
-----END PGP MESSAGE-----
--==_Exmh_-15157014P--
