Subject: bin/4138: buffer bugs in bootparamd
To: None <gnats-bugs@gnats.netbsd.org>
From: None <dholland@eecs.harvard.edu>
List: netbsd-bugs
Date: 09/22/1997 19:05:54
>Number: 4138
>Category: bin
>Synopsis: possible buffer overruns from DNS spoofing in bootparamd
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bin-bug-people (Utility Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Sep 22 23:35:01 1997
>Last-Modified:
>Originator: David A. Holland <dholland@eecs.harvard.edu>
>Organization:
- David A. Holland | VINO project home page:
dholland@eecs.harvard.edu | http://www.eecs.harvard.edu/vino
>Release: -current of 1997-Sep-22
>Environment:
System: NetBSD chianti.eecs.harvard.edu 1.2.1 NetBSD 1.2.1 (CHIANTI) #1: Tue Sep 9 16:52:39 EDT 1997 root@chianti.eecs.harvard.edu:/usr/src/sys/arch/i386/compile/CHIANTI i386
I got the actual -current source from ftp.netbsd.org just now.
>Description:
bootparamd does some unbounded copies of returned resolver data
into buffers that may or may not be quite big enough. (On FreeBSD
they're one byte too short.)
I believe this to be nonexploitable, hence the low priority ratings.
>How-To-Repeat:
>Fix:
--- bootparamd.c.dist Tue Sep 23 02:10:36 1997
+++ bootparamd.c Tue Sep 23 02:14:41 1997
@@ -159,8 +159,10 @@
bcopy((char *) &whoami->client_address.bp_address_u.ip_addr, (char *) &haddr,
sizeof(haddr));
he = gethostbyaddr((char *) &haddr, sizeof(haddr), AF_INET);
- if (he)
- strcpy(askname, he->h_name);
+ if (he) {
+ strncpy(askname, he->h_name, sizeof(askname));
+ askname[sizeof(askname)-1] = 0;
+ }
else {
inaddr.s_addr = haddr;
strcpy(askname, inet_ntoa(inaddr));
@@ -229,7 +231,8 @@
if (!he)
goto failed;
- strcpy(askname, he->h_name);
+ strncpy(askname, he->h_name, sizeof(askname));
+ askname[sizeof(askname)-1] = 0;
err = lookup_bootparam(askname, NULL, getfile->file_id,
&res.server_name, &res.server_path);
if (err == 0) {
>Audit-Trail:
>Unformatted: