In the spirit of the newly-formed FreeBSD Auditing Project, I present:
% banner `perl -e 'print "a"x2000'`
Segmentation fault(core dumped)
-----
The problem is a trivial one. From /usr/src/usr.bin/banner/banner.c:
/*
* banner - prints large signs
* banner [-w#] [-d] [-t] message ...
*/
#define MAXMSG 1024
...
char message[MAXMSG];
...
/* Have now read in the data. Next get the message to be printed. */
if (*argv) {
strcpy(message, *argv);
while (*++argv) {
strcat(message, " ");
strcat(message, *argv);
}
nchars = strlen(message);
} else {
----
Bzzzt! Wrong!
OpenBSD were never vulnerable to this because they seem to use a different
banner(1) than we do. The issue of whether or not this is likely to be a
serious security risk is left as an exercise to the reader :-)
I'll commit this tomorrow (just wanted to get in a 'first post!' :-)..
Kris
Index: banner.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/banner/banner.c,v
retrieving revision 1.6
diff -u -r1.6 banner.c
--- banner.c 1999/04/19 04:05:25 1.6
+++ banner.c 1999/12/23 10:18:50
@@ -1058,15 +1058,15 @@
/* Have now read in the data. Next get the message to be printed. */
if (*argv) {
- strcpy(message, *argv);
+ strncpy(message, *argv, MAXMSG);
while (*++argv) {
- strcat(message, " ");
- strcat(message, *argv);
+ strlcat(message, " ", MAXMSG);
+ strlcat(message, *argv, MAXMSG);
}
nchars = strlen(message);
} else {
fprintf(stderr,"Message: ");
- (void)fgets(message, sizeof(message), stdin);
+ (void)fgets(message, MAXMSG, stdin);
nchars = strlen(message);
message[nchars--] = '\0'; /* get rid of newline */
}
----
Cthulhu for President! For when you're tired of choosing the _lesser_ of
two evils..
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
