From venglin@freebsd.lublin.pl  Thu Dec  7 03:17:35 2000
Return-Path: <venglin@freebsd.lublin.pl>
Received: from yeti.ismedia.pl (unknown [212.182.96.18])
	by hub.freebsd.org (Postfix) with SMTP id B56C637B400
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  7 Dec 2000 03:17:30 -0800 (PST)
Received: (qmail 38050 invoked from network); 7 Dec 2000 11:17:54 -0000
Received: from unknown (HELO lagoon.freebsd.lublin.pl) (212.182.115.11)
  by 0 with SMTP; 7 Dec 2000 11:17:54 -0000
Received: (qmail 21560 invoked from network); 7 Dec 2000 11:19:03 -0000
Received: from unknown (HELO riget.scene.pl) (212.182.115.2)
  by 0 with SMTP; 7 Dec 2000 11:19:03 -0000
Received: (qmail 61677 invoked by uid 1001); 7 Dec 2000 11:16:03 -0000
Message-Id: <20001207111603.61676.qmail@riget.scene.pl>
Date: 7 Dec 2000 11:16:03 -0000
From: venglin@freebsd.lublin.pl
Reply-To: venglin@freebsd.lublin.pl
To: FreeBSD-gnats-submit@freebsd.org
Subject: [SECURITY] buffer overflow in opieftpd
X-Send-Pr-Version: 3.2

>Number:         23352
>Category:       bin
>Synopsis:       [SECURITY] buffer overflow in opieftpd
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 07 03:20:01 PST 2000
>Closed-Date:    Sat Jul 12 23:00:08 PDT 2003
>Last-Modified:  Sat Jul 12 23:00:08 PDT 2003
>Originator:     Przemyslaw Frasunek
>Release:        FreeBSD 4.2-STABLE i386
>Organization:
ISMEDIA
>Environment:

	FreeBSD 4.2-STABLE as of 5th December 2000.

>Description:

	ftpd_popen() from opieftpd contains buffer overflow. opieftpd is not
	compiled by default.

>How-To-Repeat:

	N/A

>Fix:

--- popen.c.bak	Thu Dec  7 12:11:24 2000
+++ popen.c	Thu Dec  7 12:18:04 2000
@@ -82,10 +82,13 @@
 #include <string.h>
 #endif /* HAVE_STRING_H */
 
 #include "opie.h"
 
+#define MAXUSRARGS	100
+#define MAXGLOBARGS	1000
+
 char **ftpglob __P((register char *));
 char **copyblk __P((char **));
 VOIDRET blkfree __P((char **));
 
 /*
@@ -101,34 +104,36 @@
 FILE *ftpd_popen FUNCTION((program, type), char *program AND char *type)
 {
   char *cp;
   FILE *iop;
   int argc, gargc, pdes[2];
-  char **pop, *argv[100], *gargv[1000], *vv[2];
+  char **pop, *argv[MAXUSRARGS], *gargv[MAXGLOBARGS], *vv[2];
 
   if ((*type != 'r' && *type != 'w') || type[1])
     return (NULL);
 
   if (pipe(pdes) < 0)
     return (NULL);
 
   /* break up string into pieces */
-  for (argc = 0, cp = program;; cp = NULL)
+  for (argc = 0, cp = program; argc < MAXUSRARGS-1; cp = NULL) {
     if (!(argv[argc++] = strtok(cp, " \t\n")))
       break;
+  }
+  argv[argc - 1] = NULL;
 
   /* glob each piece */
   gargv[0] = argv[0];
-  for (gargc = argc = 1; argv[argc]; argc++) {
+  for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) {
     if (!(pop = (char **) ftpglob(argv[argc]))) {
       /* globbing failed */
       vv[0] = argv[argc];
       vv[1] = NULL;
       pop = (char **) copyblk(vv);
     }
     argv[argc] = (char *) pop;	/* save to free later */
-    while (*pop && gargc < 1000)
+    while (*pop && gargc < MAXGLOBARGS-1)
       gargv[gargc++] = *pop++;
   }
   gargv[gargc] = NULL;
 
   iop = NULL;

>Release-Note:
>Audit-Trail:

From: Dag-Erling Smorgrav <des@ofug.org>
To: venglin@freebsd.lublin.pl
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/23352: [SECURITY] buffer overflow in opieftpd
Date: 07 Dec 2000 12:54:15 +0100

 venglin@freebsd.lublin.pl writes:
 > 	ftpd_popen() from opieftpd contains buffer overflow. opieftpd is not
 > 	compiled by default.
 
 While you're there, you might want to rewrite ftpd_popen() (both in
 opieftpd and regular ftpd - they should be identical, or at least very
 similar) so that it takes a list of arguments instead of a single
 string which it breaks into arguments.
 
 DES
 -- 
 Dag-Erling Smorgrav - des@ofug.org
 
State-Changed-From-To: open->closed 
State-Changed-By: kris 
State-Changed-When: Sat Jul 12 22:57:39 PDT 2003 
State-Changed-Why:  
Patch committed, thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=23352 
>Unformatted:
