two bugs: can not read hash from configuration file, access to prohibited memory

Piotr Klaban makler at
Mon Apr 26 13:34:02 UTC 2004


IMHO the CONFgetword() function from inn-2.4.1/lib/conffile.c:
1. wrongly interpretes the configuration files.
2. tries to read the memory from outside of the file (insted
   of my conf file, I can get result from /etc/hosts file).

ad. 1.:

I want to read the following from the conf file (example):

dbpassword: "test#"
other: things

The CONFgetword first strips '#' instead of looking
for double quotes. I can write:

dbpassword: test\#

but then I must strip backslash by myself ... it should be
stripped by CONFgetword(). Currently I see no way to read
a password with hash inside from the configuration file.

2. If the file looks like this:

dbpassword: "test#"
other: things

then CONFgetword() reads all of the file looking for
the second double quote. Because it can not find the
second double quote - 't' variable is pointed at the end of file
(after the last hash):

     88         break;
     89     } while (!cfeof(F));
     90     *t++ = '\0';
     91   }
     92   else {
     99   for (p = F->buf; *t != '\0'; t++)
    100     *p++ = *t;
    101   *p = '\0';

Then in line no. 90 t is incremented and points outside of the
configuration file, and in line no. 100 'p' points to 't',
and random data is returned (in my case [Solaris8] it was an entry from
/etc/hosts file).

The following one-line patch should be introduced into the inn-2.4.1:

--- inn-2.4.1/lib/conffile.c    Wed Jan  7 23:47:19 2004
+++ inn-2.4.1-changed/lib/conffile.c    Sat Apr 24 17:45:52 2004
@@ -87,6 +87,7 @@ static char *CONFgetword(CONFFILE *F)
     } while (!cfeof(F));
+    if (*t != '\0')
     *t++ = '\0';
   else {

Best regards,

Piotr Klaban

More information about the inn-bugs mailing list