[869] in Zephyr_Bugs
buffer overflow in zephyr syslogd
daemon@ATHENA.MIT.EDU (mhpower@MIT.EDU)
Sun Jul 13 03:04:17 1997
From: mhpower@MIT.EDU
To: bugs@MIT.EDU, bug-zephyr@MIT.EDU, sipb-athena-bugs@MIT.EDU
Cc: mkgray@MIT.EDU
Date: Sun, 13 Jul 1997 03:04:13 EDT
There's a 1025-character buffer called "line" for the Zephyr message;
however, the data written to this may include up to 1024 characters
received over the net via udp port 514, plus a 15 character
month/day/time string, plus the client's domain name with up to
MAXHOSTNAMELEN+1 characters supplied by the client's DNS server and
perhaps more characters after that since apparently it is not
necessarily NUL-terminated. This patch should address these issues.
Matt
*** /mit/zephyr/src/clients/syslogd/syslogd.c Thu Mar 20 17:31:50 1997
--- syslogd.c Sun Jul 13 02:29:20 1997
***************
*** 871,872 ****
--- 871,873 ----
sizeof(f->f_prevhost));
+ f->f_prevhost[sizeof(f->f_prevhost) - 1] = '\0';
if (msglen < MAXSVLINE) {
***************
*** 900,902 ****
register int l;
! char line[MAXLINE + 1];
char repbuf[80];
--- 901,903 ----
register int l;
! char line[MAXLINE + MAXHOSTNAMELEN + 21];
char repbuf[80];
