Subject: Re: bin/34658: [dM] identd truncates queries to first segment
To: None <peter@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,>
From: Christian Biere <christianbiere@gmx.de>
List: netbsd-bugs
Date: 09/29/2006 12:35:02
The following reply was made to PR bin/34658; it has been noted by GNATS.

From: Christian Biere <christianbiere@gmx.de>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/34658: [dM] identd truncates queries to first segment
Date: Fri, 29 Sep 2006 14:29:58 +0200

 --BOKacYhQ+x31HxR3
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 der Mouse wrote:
 > +	while (1) {
 > +		if ((n =3D recv(fd, &buf[qlen], sizeof(buf)-qlen, 0)) < 0) {
 > +			fatal("recv");
 > +		} else if (n =3D=3D 0) {
 [...]
 > +		}
 [...]
 > +		qlen +=3D n;
 > +		if ( (qlen >=3D 2) &&
 > +		     (buf[qlen-2] =3D=3D '\r') &&
 > +		     (buf[qlen-1] =3D=3D '\n') )
 > +			break;
 >  	}
 
 This looks like asking for a buffer overflow to me. There's no
 protection that prevents qlen to exceed "sizeof buf".
 
 --=20
 Christian
 
 --BOKacYhQ+x31HxR3
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.5 (NetBSD)
 
 iD8DBQFFHRHG0KQix3oyIMcRAuqJAKDIdTjnbSf9RJJIaOIeMt7a2A381ACfYbKK
 +mKEW4cvqLXYCcF9r1dCCp0=
 =sPyk
 -----END PGP SIGNATURE-----
 
 --BOKacYhQ+x31HxR3--