Bugtraq mailing list archives
radius
From: brian () saturn net (Brian Mitchell)
Date: Thu, 25 Jul 1996 02:05:03 -0400
There appears to be a few slight problems overflow wise in the radius daemon. It uses a function called ip_hostname() (in util.c). This function returns the hostname, it uses a static variable (128 bytes). This in and of itself is not a good thing, however this returned hostname is sprintf()'d a few times in the event of an error. Here is the ip_hostname() function (util.c) and a list of functions (from radiusd.c) that contain problems. Searching for ip_hostname() in radiusd.c is useful. First, the ip_hostname() code: char * ip_hostname(ipaddr) UINT4 ipaddr; { struct hostent *hp; static char hstname[128]; UINT4 n_ipaddr; n_ipaddr = htonl(ipaddr); hp = gethostbyaddr((char *)&n_ipaddr, sizeof (struct in_addr), AF_INET) if (hp == 0) { ipaddr2str(hstname, ipaddr); return(hstname); } return(hp->h_name); } Most of these functions use a 128 byte char array that is stored on the stack. They sprintf() a message + ip_hostname() to it and use msg as a argument to log_err(). rad_spawn_child() rad_passchange() calc_digest() Brian Mitchell brian () saturn net "I never give them hell. I just tell the truth and they think it's hell" - H. Truman
Current thread:
- radius Brian Mitchell (Jul 24)