inn-2.2 inews buffer overflow
Russ Allbery
rra at stanford.edu
Sat Aug 21 04:34:48 UTC 1999
Jeff King <peff at dbd.com> writes:
> I have discovered a potential buffer overflow in frontends/inews.c from
> the inn-2.2 release (I also grabbed the nightly snapshot from 8/19/1999
> -- the bug still appears to be present). The issue is that there is no
> bounds-checking on "from" headers given on the command line; when copied
> into SMBUF-sized buffers, an overflow can occur and arbitrary code can
> be executed. I have included a patch against the 8/19 snapshot which
> changes the offending strcpy()s to strncpy()s.
I've committed your patch against both the current and STABLE branches.
The header parsing in INN really needs to be integrated between the
multiple different bits of code that uses it at some point.
> Another solution would be to bounds-check the argument as it is pulled
> from optarg (which might be a little saner -- checking data as it comes
> into the program would save checking it *every* time it gets used).
Looking over the code, I think that bit can also come from the article as
well as the command line. In any event, I dislike strcpy() unless one can
verify from within the same routine that there is no possibility ever of
an overflow, which clearly isn't the case here since BUFSIZ is a
system-dependent constant. So I think this change is good regardless of
what other fixes are made.
--
Russ Allbery (rra at stanford.edu) <URL:http://www.eyrie.org/~eagle/>
More information about the inn-workers
mailing list