[17667] in bugtraq
Re: FreeBSD Security Advisory: FreeBSD-SA-00:69.telnetd
daemon@ATHENA.MIT.EDU (Christos Zoulas)
Thu Nov 16 13:09:30 2000
Message-ID: <20001115225527.EF3D932D3@hrothgar.gw.com>
Date: Wed, 15 Nov 2000 17:55:27 -0500
Reply-To: Christos Zoulas <christos@ZOULAS.COM>
From: Christos Zoulas <christos@ZOULAS.COM>
X-To: security-advisories@freebsd.org
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20001114223059.4FA8837B479@hub.freebsd.org> from FreeBSD
Security Advisories (Nov 14, 2:30pm)
On Nov 14, 2:30pm, security-advisories@FREEBSD.ORG (FreeBSD Security Advisories) wrote:
-- Subject: FreeBSD Security Advisory: FreeBSD-SA-00:69.telnetd
The code below is incorrect at least on the version of telnetd I
am looking at. A few lines above the uni-diff "line" is declared
to be "extern char *" thus sizeof(line) will return sizeof(char *),
which is not what is clearly wrong. Also the patch is missing a
few more possible buffer overflows that may or may not be significant.
christos
| --- telnetd.c 2000/01/25 14:52:00 1.22
| +++ telnetd.c 2000/10/31 05:29:54 1.23
| @@ -811,7 +811,7 @@
| fatal(net, "Out of ptys");
|
| if ((pty = open(lp, 2)) >= 0) {
| - strcpy(line,lp);
| + strlcpy(line,lp,sizeof(line));
| line[5] = 't';
| break;
| }
