radius

[brian () saturn net (Brian Mitchell)]

There appears to be a few slight problems overflow wise in the radius
daemon. It uses a function called ip_hostname() (in util.c). This function
returns the hostname, it uses a static variable (128 bytes).

This in and of itself is not a good thing, however this returned hostname is
sprintf()'d a few times in the event of an error. Here is the
ip_hostname() function (util.c) and a list of functions (from radiusd.c)
that contain problems. Searching for ip_hostname() in radiusd.c is useful.

First, the ip_hostname() code:

char    *
ip_hostname(ipaddr)
UINT4   ipaddr;
{
        struct  hostent *hp;
        static char     hstname[128];
        UINT4   n_ipaddr;

        n_ipaddr = htonl(ipaddr);
        hp = gethostbyaddr((char *)&n_ipaddr, sizeof (struct in_addr),
AF_INET)
        if (hp == 0) {
                ipaddr2str(hstname, ipaddr);
                return(hstname);
        }
        return(hp->h_name);
}

Most of these functions use a 128 byte char array that is stored on the
stack. They sprintf() a message + ip_hostname() to it and use msg as a
argument to log_err().

rad_spawn_child()
rad_passchange()
calc_digest()

Brian Mitchell                                          brian () saturn net
"I never give them hell. I just tell the truth and they think it's hell"
- H. Truman