[3003] in bugtraq
radius
daemon@ATHENA.MIT.EDU (Brian Mitchell)
Thu Jul 25 12:23:36 1996
Date: Thu, 25 Jul 1996 02:05:03 -0400
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Brian Mitchell <brian@saturn.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
There appears to be a few slight problems overflow wise in the radius
daemon. It uses a function called ip_hostname() (in util.c). This function
returns the hostname, it uses a static variable (128 bytes).
This in and of itself is not a good thing, however this returned hostname is
sprintf()'d a few times in the event of an error. Here is the
ip_hostname() function (util.c) and a list of functions (from radiusd.c)
that contain problems. Searching for ip_hostname() in radiusd.c is useful.
First, the ip_hostname() code:
char *
ip_hostname(ipaddr)
UINT4 ipaddr;
{
struct hostent *hp;
static char hstname[128];
UINT4 n_ipaddr;
n_ipaddr = htonl(ipaddr);
hp = gethostbyaddr((char *)&n_ipaddr, sizeof (struct in_addr),
AF_INET)
if (hp == 0) {
ipaddr2str(hstname, ipaddr);
return(hstname);
}
return(hp->h_name);
}
Most of these functions use a 128 byte char array that is stored on the
stack. They sprintf() a message + ip_hostname() to it and use msg as a
argument to log_err().
rad_spawn_child()
rad_passchange()
calc_digest()
Brian Mitchell brian@saturn.net
"I never give them hell. I just tell the truth and they think it's hell"
- H. Truman
