Bugtraq mailing list archives
Re: buffer overflow in libsecure (NSA Security-enhanced Linux)
From: Perry Harrington <pedward () WEBCOM COM>
Date: Wed, 27 Dec 2000 15:35:28 -0800
From your message, it would appear that the file parser is at fault, not truncating the newline in the value. If the newline is removed, like most config file parsers, then the allocation logic is correct. --Perry
value of buf would be "sysadm_r:sysadm_t\n". There are no leading (*type) = (char*) malloc (sizeof(char) * (strlen(buf)-i-len-1)); the argument to malloc is 18 - 0 - 8 - 1, which is 9. Then, strcpy ((*type), &buf[i]+len+1); attempts to copy the 10 characters "sysadm_t\n\0" into the 9-character buffer. This patch should address the issue: *** get_default_type.c.old Thu Nov 30 11:32:58 2000 --- get_default_type.c Tue Dec 26 00:19:04 2000 *************** *** 72,74 **** /* malloc space for the type */ ! (*type) = (char*) malloc (sizeof(char) * (strlen(buf)-i-len-1)); if ((*type) == NULL) --- 72,74 ---- /* malloc space for the type */ ! (*type) = (char*) malloc (sizeof(char) * (strlen(buf)-i-len)); if ((*type) == NULL) Matt Power BindView Corporation, RAZOR Team mhpower () bos bindview com
-- Perry Harrington Director of zelur xuniL () perry () webcom com System Architecture Think Blue. /\
Attachment:
_bin
Description:
Current thread:
- buffer overflow in libsecure (NSA Security-enhanced Linux) Matt Power (Dec 27)
- Re: buffer overflow in libsecure (NSA Security-enhanced Linux) Perry Harrington (Dec 28)