Bugtraq mailing list archives

Re: buffer overflow in libsecure (NSA Security-enhanced Linux)

From: Perry Harrington <pedward () WEBCOM COM>
Date: Wed, 27 Dec 2000 15:35:28 -0800

From your message, it would appear that the file parser is at fault, not
truncating the newline in the value.  If the newline is removed, like most
config file parsers, then the allocation logic is correct.

--Perry

value of buf would be "sysadm_r:sysadm_t\n". There are no leading

        (*type) = (char*) malloc (sizeof(char) * (strlen(buf)-i-len-1));

the argument to malloc is 18 - 0 - 8 - 1, which is 9. Then,

        strcpy ((*type), &buf[i]+len+1);

attempts to copy the 10 characters "sysadm_t\n\0" into the 9-character
buffer.

This patch should address the issue:

*** get_default_type.c.old    Thu Nov 30 11:32:58 2000
--- get_default_type.c        Tue Dec 26 00:19:04 2000
***************
*** 72,74 ****
          /* malloc space for the type */
!         (*type) = (char*) malloc (sizeof(char) * (strlen(buf)-i-len-1));
          if ((*type) == NULL)
--- 72,74 ----
          /* malloc space for the type */
!         (*type) = (char*) malloc (sizeof(char) * (strlen(buf)-i-len));
          if ((*type) == NULL)


Matt Power
BindView Corporation, RAZOR Team
mhpower () bos bindview com


-- 
Perry Harrington                 Director of                   zelur xuniL  ()
perry () webcom com             System Architecture               Think Blue.  /\

Attachment: _bin
Description:

Current thread:

buffer overflow in libsecure (NSA Security-enhanced Linux) Matt Power (Dec 27)
- Re: buffer overflow in libsecure (NSA Security-enhanced Linux) Perry Harrington (Dec 28)