Subject: Re: BoS: Linux & BSD's lpr exploit (fwd)
To: Curt Sampson <curt@portal.ca>
From: John F. Woods <jfw@jfwhome.funhouse.com>
List: current-users
Date: 10/25/1996 16:58:35
Not that it matters much, but I'd suggest this as a slightly better patch:
(Someone more awake than I am right now should check for whether I'm off by
one...)
--------------------------------------------------------------------------
static void
card(c, p2)
register int c;
register char *p2;
{
char buf[BUFSIZ];
register char *p1 = buf;
register int len = 2;
*p1++ = c;
! while (len < BUFSIZ-1 && (c = *p2++) != '\0') {
*p1++ = (c == '\n') ? ' ' : c;
len++;
}
+ if (len == BUFSIZ-1) {
+ fatal2("excessive control line length");
+ }
*p1++ = '\n';
write(tfd, buf, len);
}
--------------------------------------------------------------------------
The subroutine right above this one, linked() has the same class of bug
(happily overflow a fixed buffer) though I don't offhand see an easy way
to exploit it as a security hole. (Hmm, create exactly the RIGHT directory
names? Scary.)