Re: possible lpd remote vulnerability

[cyber () DIS ORG (Evil Erik)]

] Howdy,
]
] I was looking through lpd sources and noticed something that can actually be
] a remote vulnerability in lpd, allowing for stack overflow and thus
] arbitrary machine code execution.  The piece of code that I'm suspicios
] about is
]
] lpd.c, line 463
]         hp = gethostbyaddr((char *)&f->sin_addr,
]             sizeof(struct in_addr), f->sin_family);
]         if (hp == 0)
]                 fatal("Host name for your address (%s) unknown",
]                         inet_ntoa(f->sin_addr));
]
]         strcpy(fromb, hp->h_name);
]         from = fromb;
<snip>

] after a call to gethostbyaddr() h_name, i.e. hostname of the remote machine,
] is copied first to fromb then to ahost without checking for length.
<snip>

] The code I was looking at was obtained from Debian Linux distribution
] sources, lpd version is 5.19.  But I suspect that all lpd's around that are
] derived from BSD lpd have this piece of code, including commercial Unices.
]
] Can somebody confirm this or show that I'm wrong?  I can then make a
] summary.

This is from NetBSD-current :
/*      $NetBSD: lpd.c,v 1.8 1996/09/21 15:57:22 perry Exp $    */
Earlier version may be fixed, but without CVS access i cant tell.

lpd.c, line 482:

        hp = gethostbyaddr((char *)&f->sin_addr,
            sizeof(struct in_addr), f->sin_family);
        if (hp == NULL)
                fatal("Host name for your address (%s) unknown",
                        inet_ntoa(f->sin_addr));

        (void) strncpy(fromb, hp->h_name, sizeof(fromb));
        from[sizeof(fromb) - 1] = '\0';
        from = fromb;

-=erik.