Re: String overflow problem?

Dale E. Reed Jr. (daler@iea.com)
Wed, 09 Oct 1996 20:29:33 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Grant McKechnie: "Re: String overflow problem?"
Previous message: rrroobb@starlinknet.net: "advertising"
Maybe in reply to: John W. Temples: "String overflow problem?"
Next in thread: Grant McKechnie: "Re: String overflow problem?"

John W. Temples wrote:
>
> I was trying to track down a radiusd core dump which appeared to be
> triggered by accounting stop packets containing a username with a large
> number of blanks at the end. I found this in radius.h:
>
> #define AUTH_STRING_LEN 128 /* maximum of 254 */
>
> As I read the RADIUS draft, an attribute string can be up to 253 bytes
> (not 254); in any event, why is the code using a 128 byte buffer which
> gets memcpy'd to without a bounds check? Does ComOS have a 127 byte
> limitation in the length of an attribute value?

There is also an interesting issue with the AuthInfo.secret length
which is only 16 characters. Ih the routine where the secret is
checked,
the buffer string is 128 characters. It then does a strcpy from that
to the authinfo.secret, which is 16 chars. When I finished the ODBC
read in routines, I didn't catch that and every auth was trashing the
authinfo when structure and overwriting portions of the structure
causing
random crashing.

-- 
Dale E. Reed Jr.  (daler@iea.com)
_____________________________________________________________________
 Internet Engineering Associates   |  RadiusNT, Emerald, and NT FAQs
  Internet Solutions for Today     |    http://www.emerald.iea.com

Next message: Grant McKechnie: "Re: String overflow problem?"
Previous message: rrroobb@starlinknet.net: "advertising"
Maybe in reply to: John W. Temples: "String overflow problem?"
Next in thread: Grant McKechnie: "Re: String overflow problem?"