[9695] in bugtraq
Re: Tetrix 1.13.16 is Vulnerable
daemon@ATHENA.MIT.EDU (Pavel Machek)
Sat Feb 20 18:29:34 1999
Date: Fri, 19 Feb 1999 11:04:42 +0100
Reply-To: Pavel Machek <pavel@BUG.UCW.CZ>
From: Pavel Machek <pavel@BUG.UCW.CZ>
X-To: Steven Hodges <nsn@RAW.VELOWEB.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.05.9902171302470.1095-100000@raw.veloweb.com>; from
Steven Hodges on Wed, Feb 17, 1999 at 01:03:45PM -0800
Hi!
> I have recently found a buffer overflow in a TetriNet daemon for Linux
> called "Tetrix". To exploit this bug, you will need a hostname longer than
> 122 characters, and any method of connecting to the host on port 31457.
> Once you are connected, the overflow should take place.
>
> here is the patch!
...which does not work.
> diff -ru tetrinetx-1.13.16.orig/src/net.c tetrinetx-1.13.16/src/net.c
> --- tetrinetx-1.13.16.orig/src/net.c Thu Dec 24 00:24:50 1998
> +++ tetrinetx-1.13.16/src/net.c Sun Feb 14 16:22:11 1999
> @@ -250,15 +250,17 @@
> unsigned long ip;
> {
> struct hostent *hp; unsigned long addr=ip;
> - unsigned char *p; static char s[121];
> -/* alarm(10);*/
> + unsigned char *p; static char s[UHOSTLEN];
> +
> hp=gethostbyaddr((char *)&addr,sizeof(addr),AF_INET); /*alarm(0);*/
> if (hp==NULL) {
> p=(unsigned char *)&addr;
> sprintf(s,"%u.%u.%u.%u",p[0],p[1],p[2],p[3]);
> return s;
> }
> - strcpy(s,hp->h_name); return s;
> + strncpy(s,hp->h_name,(UHOSTLEN-1));
> + s[strlen(s)]='\0';
> + return s;
If s is not null-terminated after strncpy...
The strncpy() function is similar, except that not more
than n bytes of src are copied. Thus, if there is no null
byte among the first n bytes of src, the result wil not be
null-terminated.
...then s[strlen(s)]='\0'; will not help it - because strlen() looks
for \0 :-).
s[UHOSTLEN-1]='\0'; would be correct.
Pavel
--
I'm really pavel@atrey.karlin.mff.cuni.cz. Pavel
Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).
