[18725] in bugtraq
Re: Buffer overflow in bing
daemon@ATHENA.MIT.EDU (Pierre Beyssac)
Mon Jan 22 18:25:51 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-ID: <20010119203001.A8935@fasterix.frmug.org>
Date: Fri, 19 Jan 2001 20:30:01 +0100
Reply-To: Pierre Beyssac <pb@FASTERIX.FREENIX.ORG>
From: Pierre Beyssac <pb@FASTERIX.FREENIX.ORG>
X-To: Paul Starzetz <paul@starzetz.de>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3A687EDB.CCA74F8C@starzetz.de>; from Paul Starzetz on Fri,
Jan 19, 2001 at 06:52:27PM +0100
On Fri, Jan 19, 2001 at 06:52:27PM +0100, Paul Starzetz wrote:
> The buffer overflowed is a 80 byte static local buffer:
> static char buf[80];
It is patched by default in FreeBSD's package collection. Here's
the patch below (author: jseger@freebsd.org).
I have also issued a bugfix release including this patch, available
from http://www.freenix.org/reseau/bing-1.0.5.tar.gz
--- bing.c.orig Thu Jul 20 16:45:32 1995
+++ bing.c Sat Mar 4 16:13:05 2000
@@ -718,13 +718,13 @@
u_long l;
{
struct hostent *hp;
- static char buf[80];
+ static char buf[MAXHOSTNAMELEN+19];
if ((options & F_NUMERIC) ||
!(hp = gethostbyaddr((char *)&l, 4, AF_INET)))
- (void)sprintf(buf, "%s", inet_ntoa(*(struct in_addr *)&l));
+ (void)snprintf(buf, sizeof(buf), "%s", inet_ntoa(*(struct in_addr *)&l));
else
- (void)sprintf(buf, "%s (%s)", hp->h_name,
+ (void)snprintf(buf, sizeof(buf), "%s (%s)", hp->h_name,
inet_ntoa(*(struct in_addr *)&l));
return(buf);
}
--
Pierre Beyssac pb@fasterix.frmug.org pb@fasterix.freenix.org
Linux : ceux qui n'adorent pas sont forcément des cons
Free domains: http://www.eu.org/ or mail dns-manager@EU.org
