Re: RADIUSD: Big security holes (fwd)

John W. Temples (john@kuwait.net)
Sat, 7 Sep 1996 12:15:36 +0300 ()

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: timw@mail.ballistic.com: "Can't log in to PM"
Previous message: Christian Gatti: "Win95 PPP setup"

> The quickie patch to fix this buffer overflow in Livingston Radius 1.16
> follows:
>
> #---[ cut here ]---
> 58a59
> > static char hostnamebuffer[100];
> 67c68,69
> < return(hp->h_name);
> ---
> > strncpy(hostnamebuffer, hp->h_name, 99);
> > return(hostnamebuffer);
> #---[ cut here ]---
>

This patch doesn't completely fix the buffer overflow. Take a look at
this line of code in radiusd.c:

sprintf(msg, "Dropping duplicate: from %s - ID: %d\n",
ip_hostname(authreq->ipaddr), authreq->id);

There are 32 characters of text there, plus 99 for the hostname if the
patch is applied, plus the ID, which gives around 136 characters. "msg"
is declared as 128 characters. There are several other sprintfs which are
even longer.

--
John W. Temples, III       ||       Providing the first public access Internet
Gulfnet Kuwait             ||            site in the Arabian Gulf region

Next message: timw@mail.ballistic.com: "Can't log in to PM"
Previous message: Christian Gatti: "Win95 PPP setup"