Date: Sat, 27 Jun 1998 14:38:15 -0700
From: "Jordan K. Hubbard" <jkh@time.cdrom.com.>
To: "Aaron D. Gifford" <agifford@infowest.com.>
Subject: Re: (FWD) QPOPPER REMOTE ROOT EXPLOIT
Cc: security@FreeBSD.ORG
> Does the patch to pop_msg.c take into account that a "(void)strcat(message,
> "\r\n"); call appears later on and adds 2 more chars to the message buffer?
Heh, no. I missed that. Here's a revised patch:
--- pop_msg.c.orig Sat Jun 27 03:09:47 1998+ pop_msg.c Sat Jun 27 14:35:49 1998
@@ -27,6 +27,7 @@
{
POP * p;
int stat; /* POP status indicator */
+ int l, len; /* remaining buffer length */
char * format; /* Format string for the message */
va_list ap;
register char * mp;
@@ -50,6 +51,7 @@
/* Point to the message buffer */
mp = message;
+ len = sizeof(message);
/* Format the POP status code at the beginning of the message */
if (stat == POP_SUCCESS)
@@ -58,17 +60,18 @@
(void)sprintf (mp,"%s ",POP_ERR);
/* Point past the POP status indicator in the message message */
- mp += strlen(mp);
+ l = strlen(mp);
+ len -= l, mp += l;
/* Append the message (formatted, if necessary) */
if (format)
#ifdef HAVE_VPRINTF
- vsprintf(mp,format,ap);
+ vsnprintf(mp,len,format,ap);
#else
# ifdef PYRAMID
- (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);
+ (void)snprintf(mp,len,format, arg1, arg2, arg3, arg4, arg5, arg6);
# else
- (void)sprintf(mp,format,((int *)ap)[0],((int *)ap)[1],((int *)ap)[2],
+ (void)snprintf(mp,len,format,((int *)ap)[0],((int *)ap)[1],((int *)ap)[2],
((int *)ap)[3],((int *)ap)[4]);
# endif
#endif
@@ -87,7 +90,8 @@
(p->user ? p->user : "(null)"), p->client, message);
/* Append the <CR><LF> */
- (void)strcat(message, "\r\n");
+ len -= strlen(message);
+ (void)strncat(message, len, "\r\n");
/* Send the message to the client */
(void)fputs(message,p->output);
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
