Subject: Re: bin/34658: [dM] identd truncates queries to first segment
To: None <peter@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,>
From: Christian Biere <christianbiere@gmx.de>
List: netbsd-bugs
Date: 09/29/2006 12:35:02
The following reply was made to PR bin/34658; it has been noted by GNATS.
From: Christian Biere <christianbiere@gmx.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/34658: [dM] identd truncates queries to first segment
Date: Fri, 29 Sep 2006 14:29:58 +0200
--BOKacYhQ+x31HxR3
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
der Mouse wrote:
> + while (1) {
> + if ((n =3D recv(fd, &buf[qlen], sizeof(buf)-qlen, 0)) < 0) {
> + fatal("recv");
> + } else if (n =3D=3D 0) {
[...]
> + }
[...]
> + qlen +=3D n;
> + if ( (qlen >=3D 2) &&
> + (buf[qlen-2] =3D=3D '\r') &&
> + (buf[qlen-1] =3D=3D '\n') )
> + break;
> }
This looks like asking for a buffer overflow to me. There's no
protection that prevents qlen to exceed "sizeof buf".
--=20
Christian
--BOKacYhQ+x31HxR3
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (NetBSD)
iD8DBQFFHRHG0KQix3oyIMcRAuqJAKDIdTjnbSf9RJJIaOIeMt7a2A381ACfYbKK
+mKEW4cvqLXYCcF9r1dCCp0=
=sPyk
-----END PGP SIGNATURE-----
--BOKacYhQ+x31HxR3--