INN BUFFEROVERFLOWS!

[Russ Allbery]

zybadawg333 at hushmail.com writes:
> On Tue, 16 Jan 2007 23:21:22 +0100 Russ Allbery <rra at stanford.edu> wrote:
>> zybadawg333 at hushmail.com writes:

>>> innd/cc.c:1810:    i = RECVorREAD(CCchan->fd, buff, bufflen) ;
>>> lib/inndcomm.c:337:    i = RECVorREAD(ICCfd, buff, bufsiz);
>>> lib/inndcomm.c:374:    i = RECVorREAD(ICCfd, buff, rlen);

>> Why do you think those are buffer overflows?

> bufflen/bufsiz/rlen can be larger than sizeof(buff).

Oh, right, the first one is the one that's in the middle of dead code.  I
could have sworn that I'd already fixed that anyway, just in case, but I
must have gotten distracted in the middle of doing so.  Bizarre.  It's
fairly irrelevant, though, since that code is only built on systems
without Unix domain sockets, which every platform supports now (and has
since Linux 1.2).

I think your analysis is incorrect on the one on inndcomm.c:337.  bufsiz
is set at the top of the function and isn't based on the received content.

inndcomm.c:374 is in the same dead code situation.

I'll get these fixed in Subversion right away.  Because it's dead code, I
don't think it's a real security issue, but this sort of thing shouldn't
be sitting around even in dead code.

Thanks!

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>