[18364] in bugtraq

home help back first fref pref prev next nref lref last post

Re: buffer overflow in libsecure (NSA Security-enhanced Linux)

daemon@ATHENA.MIT.EDU (Perry Harrington)
Thu Dec 28 16:37:56 2000

Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
              protocol="application/pgp-signature"; boundary="LQksG6bCIzRHxTLp"
Content-Disposition: inline
Message-Id:  <20001227153528.A3722@webcom.com>
Date:         Wed, 27 Dec 2000 15:35:28 -0800
Reply-To: Perry Harrington <pedward@WEBCOM.COM>
From: Perry Harrington <pedward@WEBCOM.COM>
X-To:         Matt Power <mhpower@bos.bindview.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <200012261856.NAA14791@theta.bos.bindview.com>; from
              mhpower@BOS.BINDVIEW.COM on Tue, Dec 26, 2000 at 01:56:30PM -0500

--LQksG6bCIzRHxTLp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

=46rom your message, it would appear that the file parser is at fault, not
truncating the newline in the value.  If the newline is removed, like most
config file parsers, then the allocation logic is correct.

--Perry

> value of buf would be "sysadm_r:sysadm_t\n". There are no leading
>=20
>         (*type) =3D (char*) malloc (sizeof(char) * (strlen(buf)-i-len-1));
>=20
> the argument to malloc is 18 - 0 - 8 - 1, which is 9. Then,
>=20
>         strcpy ((*type), &buf[i]+len+1);
>=20
> attempts to copy the 10 characters "sysadm_t\n\0" into the 9-character
> buffer.
>=20
> This patch should address the issue:
>=20
> *** get_default_type.c.old	Thu Nov 30 11:32:58 2000
> --- get_default_type.c	Tue Dec 26 00:19:04 2000
> ***************
> *** 72,74 ****
>           /* malloc space for the type */
> !         (*type) =3D (char*) malloc (sizeof(char) * (strlen(buf)-i-len-1=
));
>           if ((*type) =3D=3D NULL)
> --- 72,74 ----
>           /* malloc space for the type */
> !         (*type) =3D (char*) malloc (sizeof(char) * (strlen(buf)-i-len));
>           if ((*type) =3D=3D NULL)
>=20
>=20
> Matt Power
> BindView Corporation, RAZOR Team
> mhpower@bos.bindview.com

--=20
Perry Harrington                 Director of                   zelur xuniL =
 ()
perry@webcom.com             System Architecture               Think Blue. =
 /\

--LQksG6bCIzRHxTLp
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (SunOS)
Comment: For info see http://www.gnupg.org

iD8DBQE6SnzAfK7Bvd0wfuURAtfVAJ9CtgR00ZHJ8UcJbKhHijDRQY8mlQCgsaJL
kGwFl3xt/LtLFL+sQFdCZ9Y=
=RRMF
-----END PGP SIGNATURE-----

--LQksG6bCIzRHxTLp--
home help back first fref pref prev next nref lref last post