Buffer overflow in inndstart

Russ Allbery rra at stanford.edu
Tue Sep 7 04:23:40 UTC 1999

Forrest J Cavalier <mibsoft at mibsoftware.com> writes:

> Safe code, which logs attempts, would be similar to:

>   (void)sprintf(buff, "BIND_INADDR=")
>   if (strlen(p) > sizeof(buff)-strlen(buf)-1) {
>       syslog(L_FATAL, "inndstart cant copy BIND_INADDR");
>       exit(1);
>   }
>   strcat(buff,p);

> (Alternatively a strncat() with store of '\0' would silently truncate
> while preventing the overflow.)  I'd prefer the attempt was logged.

This is just papering over the problem.  The environment population code
in inndstart is completely wrong.  It shouldn't be using a fixed buffer at
any stage; it should be allocating the required memory up-front, since it
can calculate exactly how much memory it will need.

I'll try to get to rewriting the whole mess tonight.

Russ Allbery (rra at stanford.edu)         <URL:http://www.eyrie.org/~eagle/>

More information about the inn-workers mailing list