[3144] in Kerberos-V5-bugs
pending/781: default_com_err_proc possible overflow?
daemon@ATHENA.MIT.EDU (Kev)
Thu Oct 28 15:31:49 1999
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: gnats-admin@rt-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, Kev <klmitch@MIT.EDU>
Message-Id: <199910281925.PAA29691@mint-square.mit.edu>
Date: Thu, 28 Oct 1999 15:25:57 -0400
From: Kev <klmitch@MIT.EDU>
To: krb5-bugs@MIT.EDU
>Number: 781
>Category: pending
>Synopsis: default_com_err_proc possible overflow?
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: gnats-admin
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Oct 28 15:31:01 EDT 1999
>Last-Modified:
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
In default_com_err_proc(), we have the following code:
------- Begin code snippet, src/util/et/com_err.c
#if defined(_MSDOS) || defined(_WIN32) || defined(macintosh)
char errbuf[1024] = "";
if (whoami) {
strcat (errbuf, whoami);
strcat (errbuf, ": ");
}
if (code) {
strcat (errbuf, error_message(code));
strcat (errbuf, " ");
}
if (fmt)
vsprintf (errbuf + strlen (errbuf), fmt, ap);
------- End code snippet
This could potentially result in overflows. This is from the 1.1 sources;
I couldn't manage to grab the cvs sources...
--
Kevin L. Mitchell <klmitch@mit.edu>
------------------------- -. .---- --.. ..- -..- --------------------------
http://web.mit.edu/klmitch/www/ (PGP keys availiable from here)
RSA AE87D37D/1024: DE EA 1E 99 3F 2B F9 23 A0 D8 05 E0 6F BA B9 D2
DSS ED0DB34E/1024: D9BF 0E74 FDCB 43F5 C597 878F 9455 EC24 ED0D B34E
DH 2A2C31D4/2048: 1A77 4BA5 9E32 14AE 87DA 9FEC 7106 FC62 2A2C 31D4
