SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-18-2008, 09:15 AM
| ||||
| ||||
 overflow in ftp/ruserpass.c Hi, $ perl -e 'print "x" x 100000'>.netrc $ ftp localhost Trying 127.0.0.1... Connected to localhost. 220 yelena.nicm.ath.cx FTP server (Version 6.6/OpenBSD) ready. Segmentation fault (core dumped) With diff below: $ /usr/src/*/ftp/obj/ftp localhost Trying 127.0.0.1... Connected to localhost. 220 yelena.nicm.ath.cx FTP server (Version 6.6/OpenBSD) ready. ftp: Token in .netrc too long ftp> 221 Goodbye. $ -- Nicholas. Index: ruserpass.c ================================================== ================= RCS file: /cvs/src/usr.bin/ftp/ruserpass.c,v retrieving revision 1.20 diff -u -p -r1.20 ruserpass.c --- ruserpass.c 16 May 2006 23:43:16 -0000 1.20 +++ ruserpass.c 20 Mar 2007 15:33:39 -0000 @@ -108,7 +108,7 @@ ruserpass(const char *host, char **aname if ((mydomain = strchr(myname, '.')) == NULL) mydomain = ""; next: - while ((t = token())) switch(t) { + while ((t = token()) > 0) switch(t) { case DEFAULT: usedefault = 1; @@ -116,7 +116,9 @@ next: case MACH: if (!usedefault) { - if (token() != ID) + if ((t = token()) == -1) + goto bad; + if (t != ID) continue; /* * Allow match either for user's input host name @@ -142,10 +144,13 @@ next: continue; } match: - while ((t = token()) && t != MACH && t != DEFAULT) switch(t) { + while ((t = token()) > 0 && + t != MACH && t != DEFAULT) switch(t) { case LOGIN: - if (token()) { + if ((t = token()) == -1) + goto bad; + if (t) { if (*aname == 0) *aname = strdup(tokval); else { @@ -162,7 +167,9 @@ next: warnx("Remove password or make file unreadable by others."); goto bad; } - if (token() && *apass == 0) + if ((t = token()) == -1) + goto bad; + if (t && *apass == 0) *apass = strdup(tokval); break; case ACCOUNT: @@ -172,7 +179,9 @@ next: warnx("Remove account or make file unreadable by others."); goto bad; } - if (token() && *aacct == 0) + if ((t = token()) == -1) + goto bad; + if (t && *aacct == 0) *aacct = strdup(tokval); break; case MACDEF: @@ -248,6 +257,8 @@ next: goto done; } done: + if (t == -1) + goto bad; (void)fclose(cfile); return (0); bad: @@ -275,6 +286,10 @@ token(void) if (c == '\\') c = fgetc(cfile); *cp++ = c; + if (cp == tokval + sizeof(tokval)) { + warnx("Token in .netrc too long"); + return (-1); + } } } else { *cp++ = c; @@ -283,6 +298,10 @@ token(void) if (c == '\\') c = fgetc(cfile); *cp++ = c; + if (cp == tokval + sizeof(tokval)) { + warnx("Token in .netrc too long"); + return (-1); + } } } *cp = 0;      |
 |
« Re: [patch] SpeedStep for PIII CPUs on PIIX4 chipsets
|
Re: [patch] SpeedStep for PIII CPUs on PIIX4 chipsets »
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT. The time now is 04:17 AM.
