Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120306013956.GZ184@brightrain.aerifal.cx>
Date: Mon, 5 Mar 2012 20:39:56 -0500
From: Rich Felker <dalias@...ifal.cx>
To: musl@...ts.openwall.com
Subject: Re: Re: utmpx support

On Sun, Mar 04, 2012 at 08:10:36PM +0100, finkler wrote:
> struct utmpx *getutxid(const struct utmpx *id)
> {  
>   while(getutxent()) {
>     switch (id->ut_type) {
>       case BOOT_TIME:
>       case OLD_TIME:
>       case NEW_TIME:
>         if (id->ut_type == ut.ut_type) return &ut;
>         break;
>       case INIT_PROCESS:
>       case LOGIN_PROCESS:
>       case USER_PROCESS:
>       case DEAD_PROCESS:
>         if (id->type == ut.ut_type && !strcmp(id->ut_id, ut.ut_id)) return &ut;

Here strcmp is being called on data that was read from a file with no
validation. This is potentially a security issue (DoS); if the file
does not contain a null-terminated string, strcmp could run past the
end of the buffer and eventually segfault and crash the calling
program. It's probably hard to trigger the issue since the string for
comparison is also located in a utmp structure, but I think there
should be some validation, probably just fixing invalid data right
after the fread call so it never leaks out.

> struct utmpx *getutxline(const struct utmpx *line)
> {
> 	while(getutxent()) {
>     switch (ut.ut_type) {
>       case LOGIN_PROCESS:
>       case USER_PROCESS:
>         if (!strcmp(line->ut_line, ut.ut_line)) return &ut;

Here too.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.