tech-security: Re: ssh buffer overflow / package?

Subject: Re: ssh buffer overflow / package?
To: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
From: Todd C. Miller <Todd.Miller@courtesan.com>
List: tech-security
Date: 11/02/1998 12:16:59
The only source from 2.x is an snprintf implementation, which NetBSD
doesn't need since it is in libc.  To use vsnprintf() instead of
vsprintf() in the logging functions like the IBM advisory suggests
you can apply the following.

 - todd

--- log-server.c.DIST	Wed Jul  8 10:40:36 1998
+++ log-server.c	Sun Nov  1 19:51:47 1998
@@ -134,7 +134,7 @@
   if (log_quiet)
     return;
   va_start(args, fmt);
-  vsprintf(buf, fmt, args);
+  vsnprintf(buf, sizeof(buf), fmt, args);
   va_end(args);
   if (log_on_stderr)
     fprintf(stderr, "log: %s\n", buf);
@@ -175,7 +175,7 @@
   if (log_quiet)
     return;
   va_start(args, fmt);
-  vsprintf(buf, fmt, args);
+  vsnprintf(buf, sizeof(buf), fmt, args);
   va_end(args);
   if (log_on_stderr)
     fprintf(stderr, "log: %s\n", buf);
@@ -191,7 +191,7 @@
   if (!log_debug || log_quiet)
     return;
   va_start(args, fmt);
-  vsprintf(buf, fmt, args);
+  vsnprintf(buf, sizeof(buf), fmt, args);
   va_end(args);
   if (log_on_stderr)
     fprintf(stderr, "debug: %s\n", buf);
@@ -207,7 +207,7 @@
   if (log_quiet)
     return;
   va_start(args, fmt);
-  vsprintf(buf, fmt, args);
+  vsnprintf(buf, sizeof(buf), fmt, args);
   va_end(args);
   if (log_on_stderr)
     fprintf(stderr, "error: %s\n", buf);
@@ -302,7 +302,7 @@
   if (log_quiet)
     exit(1);
   va_start(args, fmt);
-  vsprintf(buf, fmt, args);
+  vsnprintf(buf, sizeof(buf), fmt, args);
   va_end(args);
   if (log_on_stderr)
     fprintf(stderr, "fatal: %s\n", buf);
@@ -321,7 +321,7 @@
   if (log_quiet)
     exit(1);
   va_start(args, fmt);
-  vsprintf(buf, fmt, args);
+  vsnprintf(buf, sizeof(buf), fmt, args);
   va_end(args);
   if (log_on_stderr)
     fprintf(stderr, "fatal: %s\n", buf);
--- packet.c.DIST	Wed Jul  8 10:40:37 1998
+++ packet.c	Sun Nov  1 19:52:00 1998
@@ -693,7 +693,7 @@
   va_list args;
   
   va_start(args, fmt);
-  vsprintf(buf, fmt, args);
+  vsnprintf(buf, sizeof(buf), fmt, args);
   va_end(args);
   
   packet_start(SSH_MSG_DEBUG);
@@ -719,7 +719,7 @@
   /* Format the message.  Note that the caller must make sure the message
      is of limited size. */
   va_start(args, fmt);
-  vsprintf(buf, fmt, args);
+  vsnprintf(buf, sizeof(buf), fmt, args);
   va_end(args);
 
   /* Send the disconnect message to the other side, and wait for it to get 
--- scp.c.DIST	Wed Jul  8 10:40:38 1998
+++ scp.c	Sun Nov  1 19:52:13 1998
@@ -332,7 +332,7 @@
   char buf[1024];
 
   va_start(ap, fmt);
-  vsprintf(buf, fmt, ap);
+  vsnprintf(buf, sizeof(buf), fmt, ap);
   va_end(ap);
   fprintf(stderr, "%s\n", buf);
   exit(255);