[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Improper fixed-size buffer usage in connect_to_gserver()

From: Alexey Mahotkin
Subject: Improper fixed-size buffer usage in connect_to_gserver()
Date: Wed, 13 Jun 2001 21:50:31 +0400 (MSD)

Humm, it seems to me like there is a plain old buffer overflow in
connect_to_gserver().  hostinfo->h_name is taken directly from DNS (in
init_sockaddr()) which could be under control of remote host.  Then it
is sprintf()'ed without length checking into buf[1024].  You get an

2001-06-13  Alexey Mahotkin  <alexm@hsys.msk.ru>

        * client.c: Fix incorrect fixed-size buffer usage in

--- client.c    Tue Apr 24 22:14:53 2001
+++ client.c-new        Wed Jun 13 21:41:49 2001
@@ -4189,13 +4189,15 @@
 /* Connect to the server using GSSAPI authentication.  */
+#define BUFSIZE 1024
 static int
 connect_to_gserver (sock, hostinfo)
      int sock;
      struct hostent *hostinfo;
     char *str;
-    char buf[1024];
+    char buf[BUFSIZE];
     gss_buffer_desc *tok_in_ptr, tok_in, tok_out;
     OM_uint32 stat_min, stat_maj;
     gss_name_t server_name;
@@ -4205,7 +4207,7 @@
     if (send (sock, str, strlen (str), 0) < 0)
        error (1, 0, "cannot send: %s", SOCK_STRERROR (SOCK_ERRNO));
-    sprintf (buf, "cvs@%s", hostinfo->h_name);
+    snprintf (buf, BUFSIZE, "cvs@%s", hostinfo->h_name);
     tok_in.length = strlen (buf);
     tok_in.value = buf;
     gss_import_name (&stat_min, &tok_in, GSS_C_NT_HOSTBASED_SERVICE,


reply via email to

[Prev in Thread] Current Thread [Next in Thread]