Article delegate-en/575 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A574@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Buffer overflow in pop.c
03 Sep 1999 20:36:07 GMT ysato@etl.go.jp (Yutaka Sato)


In message <_A574@delegate-en.ML_>
on 09/02/99(21:08:36) you Fritz Thomas <phybabdyi-qjyh54otrnxr.ml@ml.delegate.org> wrote:
 |We did a security-scan on a box running delegated as an pop-proxy, and we
 |detected a buffer overflow, when the input-string exceeded 256 Bytes.
 |The attached "quick'n'dirty" patch is our workaround for the moment.
 |If a more experienced programmer fixes this problem in a better way, please
 |let us know.

In complete revision for DeleGate/6.X which will be (maybe) released
in this month, "pop.c" also has been modified at several point,
including replacement of wordscan(str,buf) by wordscan(str,buf,size)
which will be safer.  The problem you pointed also will be fixed in
the version. I enclosed a patche which might be the minimum solution
for the problem in the meantime.

                   @ @  
┬─┐─┬─┌   //\^^   ( - )  <URL:http://www.etl.go.jp/~ysato/>
├─  │ │ / 876m\  _<   >_ <URL:http://www.delegate.org/delegate/>
┴── ┴ ┴──────────────────────────────┘

diff -c ../../delegate5.9.3/src/pop.c ./pop.c
*** ../../delegate5.9.3/src/pop.c	Tue Jun 15 13:43:16 1999
--- ./pop.c	Sat Sep  4 05:24:30 1999
***************
*** 417,423 ****
  	char *auser,*epass,*seed;
  	char *nextUSER;
  	char *resp;
! {	char *dp,userhost[256],user[256],hostport[256],host[256],tmp[1024];
  	char *opts;
  	int port;
  
--- 417,423 ----
  	char *auser,*epass,*seed;
  	char *nextUSER;
  	char *resp;
! {	char *dp,userhost[1024],user[1024],hostport[1024],host[1024],tmp[1024];
  	char *opts;
  	int port;
  
diff -c ../../delegate5.9.3/src/url.c ./url.c
*** ../../delegate5.9.3/src/url.c	Thu Jun  3 14:20:17 1999
--- ./url.c	Sat Sep  4 05:05:13 1999
***************
*** 721,727 ****
--- 721,731 ----
  
  	p = proto;
  	for( up = url; isSchemeChar(ch = *up); up++ )
+ 	{
+ 		if( 32 <= p - proto )
+ 			break;
  		*p++ = ch;
+ 	}
  	*p = 0;
  
  	if( up[0] == ':' ){

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V