![[LWN Logo]](/images/lwn.banner.gif)
Date: Tue, 16 Feb 1999 00:42:49 +0000
From: Rupert Weber-Henschel <rupert.weber@IBM.NET>
Subject: snplog-1.0 buffer overflow
To: BUGTRAQ@NETSPACE.ORG
There is a possible buffer overflow in snplog-1.0. Or is it 0.1? The
tar file is 0.1, the docs say 1.0. %)
(snplog contains tcplogd, icmplogd, udplogd)
The offending code is a sscanf() which parses the response of a remote
identd.
In rfc1413.c, around line 80:
/* minimal parsing, we just want the username */
sscanf(buf,
"%*d , %*d : %*[^ \t\n\r:] : %*[^\t\n\r:] :
%[^\n\r]",
ret);
where buf contains up to 512 bytes received from the identd, but ret has
only 64 bytes.
I don't know if this exploitable in terms of root compromise (ret is
malloc'ed, not on the stack), but a quick test made me press the reset
button...
The obvious quick fix is to add a 63 after the last %:
sscanf(buf,
"%*d , %*d : %*[^ \t\n\r:] : %*[^\t\n\r:] :
%63[^\n\r]",
ret);
While I still don't like the idea of having a biest like scanf in
critical code at all...
The homepage for snplog is:
http://www.franken.de/users/gauss/snplog/
The author has been notified, of course.
Cheers,
Rupert
--
Rupert Weber-Henschel
E-Mail: rw@times-square.net
Fax: +49-89-34023886
PGP Public Key: http://www.cip.physik.uni-muenchen.de/~weber