Buffer overflow in inndstart
Russ Allbery
rra at stanford.edu
Tue Sep 7 04:23:40 UTC 1999
Forrest J Cavalier <mibsoft at mibsoftware.com> writes:
> Safe code, which logs attempts, would be similar to:
> (void)sprintf(buff, "BIND_INADDR=")
> if (strlen(p) > sizeof(buff)-strlen(buf)-1) {
> syslog(L_FATAL, "inndstart cant copy BIND_INADDR");
> exit(1);
> }
> strcat(buff,p);
> (Alternatively a strncat() with store of '\0' would silently truncate
> while preventing the overflow.) I'd prefer the attempt was logged.
This is just papering over the problem. The environment population code
in inndstart is completely wrong. It shouldn't be using a fixed buffer at
any stage; it should be allocating the required memory up-front, since it
can calculate exactly how much memory it will need.
I'll try to get to rewriting the whole mess tonight.
--
Russ Allbery (rra at stanford.edu) <URL:http://www.eyrie.org/~eagle/>
More information about the inn-workers
mailing list