Re: RADIUSD: Big security holes (fwd)

Curt Eckhart (curt@genesis.shadetree.com)
Mon, 9 Sep 1996 09:22:44 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Volker Klau: "Routing of a class-c network"
Previous message: rick osteen: "Reboots after pm2_3.3.2 Upgrade"

> From: "John W. Temples" <john@kuwait.net>
> Date: Sat, 7 Sep 1996 12:15:36 +0300 ()
>
> > The quickie patch to fix this buffer overflow in Livingston Radius 1.16
> > follows:
> >
> > #---[ cut here ]---
> > 58a59
> > > static char hostnamebuffer[100];
> > 67c68,69
> > < return(hp->h_name);
> > ---
> > > strncpy(hostnamebuffer, hp->h_name, 99);
> > > return(hostnamebuffer);
> > #---[ cut here ]---
> >
>
> This patch doesn't completely fix the buffer overflow. Take a look at
> this line of code in radiusd.c:
>
> sprintf(msg, "Dropping duplicate: from %s - ID: %d\n",
> ip_hostname(authreq->ipaddr), authreq->id);
>
> There are 32 characters of text there, plus 99 for the hostname if the
> patch is applied, plus the ID, which gives around 136 characters. "msg"
> is declared as 128 characters. There are several other sprintfs which are
> even longer.

This has been a long standing problem for a long time. Does there
exist a function call which can count the number of characters that a
sprintf *will* generate without actually doing the sprintf. Could be
CPU expensive, but with it we could create a function which would be a
combination of sprintf/strdup (i.e. create a formatted string from
dynamic storage). That would plug this type of hole forever.

> - --
> John W. Temples, III || Providing the first public access Internet
> Gulfnet Kuwait || site in the Arabian Gulf region
>
>

Next message: Volker Klau: "Routing of a class-c network"
Previous message: rick osteen: "Reboots after pm2_3.3.2 Upgrade"