From nobody  Sun Oct 27 07:00:58 1996
Received: (from nobody@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id HAA26372;
          Sun, 27 Oct 1996 07:00:58 -0800 (PST)
Message-Id: <199610271500.HAA26372@freefall.freebsd.org>
Date: Sun, 27 Oct 1996 07:00:58 -0800 (PST)
From: tqbf@enteract.com
To: freebsd-gnats-submit@freebsd.org
Subject: Arbitrary users can break root on systems with an SUID /sbin/route
X-Send-Pr-Version: www-1.0

>Number:         1903
>Category:       bin
>Synopsis:       Arbitrary users can break root on systems with an SUID /sbin/route
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 27 07:10:01 PST 1996
>Closed-Date:    Sun Oct 27 09:43:34 PST 1996
>Last-Modified:  Sun Oct 27 09:44:24 PST 1996
>Originator:     Thomas Ptacek
>Release:        FreeBSD 2.1.5-RELEASE
>Organization:
EnterAct, L.L.C.
>Environment:
FreeBSD adam 2.1-STABLE FreeBSD 2.1-STABLE #0: Mon Sep  9 03:07:45 CDT 1996
tqbf@adam:/home1/src/sys/compile/ADAMSTOMP  i386
>Description:
When a user attempts to get a route entry using 'route get', route
does a reverse DNS lookup. It fails to check the length of the returned
hostname before copying it into a 50 byte buffer. 

Additionally, large values for the argument to the 'get' command
will cause 'route' to die on SIGSEGV; gdb shows the stack being
overwritten with this value.
>How-To-Repeat:

>Fix:
Take the SUID bit off /sbin/route.
>Release-Note:
>Audit-Trail:

From: roberto@keltia.freenix.fr (Ollivier Robert)
To: tqbf@enteract.com
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/1903: Arbitrary users can break root on systems with an SUID /sbin/route
Date: Sun, 27 Oct 1996 16:55:46 +0100

 According to tqbf@enteract.com:
 > >Description:
 > When a user attempts to get a route entry using 'route get', route
 > does a reverse DNS lookup. It fails to check the length of the returned
 > hostname before copying it into a 50 byte buffer. 
 > 
 > Additionally, large values for the argument to the 'get' command
 > will cause 'route' to die on SIGSEGV; gdb shows the stack being
 > overwritten with this value.
 
 The following should fix it:
 
 Index: route.c
 ===================================================================
 RCS file: /spare/FreeBSD-current/src/sbin/route/route.c,v
 retrieving revision 1.15
 diff -u -2 -r1.15 route.c
 --- route.c	1996/09/14 02:59:46	1.15
 +++ route.c	1996/10/27 15:51:49
 @@ -323,5 +323,5 @@
  {
  	register char *cp;
 -	static char line[50];
 +	static char line[MAXHOSTNAMELEN + 1];
  	struct hostent *hp;
  	static char domain[MAXHOSTNAMELEN + 1];
 @@ -362,5 +362,5 @@
  		}
  		if (cp)
 -			strcpy(line, cp);
 +			snprintf(line, sizeof(line), "%s", cp);
  		else {
  			/* XXX - why not inet_ntoa()? */
 @@ -414,5 +414,5 @@
  {
  	char *cp = 0;
 -	static char line[50];
 +	static char line[MAXHOSTNAMELEN + 1];
  	struct netent *np = 0;
  	u_long net, mask;
 @@ -459,5 +459,5 @@
  		}
  		if (cp)
 -			strcpy(line, cp);
 +			snprintf(line, sizeof(line), "%s", cp);
  		else if ((in.s_addr & 0xffffff) == 0)
  			(void) sprintf(line, "%u", C(in.s_addr >> 24));
 
 -- 
 Ollivier ROBERT    -=- The daemon is FREE! -=-    roberto@keltia.freenix.fr
 FreeBSD keltia.freenix.fr 2.2-CURRENT #25: Tue Oct 15 21:13:57 MET DST 1996
State-Changed-From-To: open->closed 
State-Changed-By: fenner 
State-Changed-When: Sun Oct 27 09:43:34 PST 1996 
State-Changed-Why:  
Fixed (by releasing root privs and by bounds checking copies) 
in rev 1.16 of src/sbin/route/route.c . 
>Unformatted:
