From proff@profane.iq.org  Sat Jan 25 18:11:56 1997
Received: from profane.iq.org (profane.iq.org [203.4.184.217])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA09583;
          Sat, 25 Jan 1997 18:11:41 -0800 (PST)
Received: (from proff@localhost)
          by profane.iq.org (8.8.4/8.8.2) id NAA15524;
          Sun, 26 Jan 1997 13:11:57 +1100 (EST)
Message-Id: <199701260211.NAA15524@profane.iq.org>
Date: Sun, 26 Jan 1997 13:11:57 +1100 (EST)
From: Julian Assange <proff@iq.org>
Reply-To: proff@iq.org
To: FreeBSD-gnats-submit@freebsd.org, dyson@freebsd.org
Subject: uucpd, [almost certainly] non-exploitable buffer read overflow
X-Send-Pr-Version: 3.2

>Number:         2589
>Category:       bin
>Synopsis:       uucpd, [almost certainly] non-exploitable buffer read overflow
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 25 18:20:01 PST 1997
>Closed-Date:    Tue Apr 8 13:36:52 PDT 1997
>Last-Modified:  Tue Apr  8 13:38:07 PDT 1997
>Originator:     Julian Assange
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
>Environment:

	

>Description:

	

	it is possible to prevent null-termination of the remote host name

>How-To-Repeat:

	

>Fix:
	
	

	see patch. we also extend the hostname size to MAXHOSTNAMELEN from the
	silly size of 32

--- src/libexec/uucpd/uucpd.c~	Sun Jan 26 13:05:34 1997
+++ src/libexec/uucpd/uucpd.c	Sun Jan 26 13:06:49 1997
@@ -52,6 +52,7 @@
  */
 
 #include <sys/types.h>
+#include <sys/param.h>
 #include <sys/wait.h>
 #include <sys/ioctl.h>
 #include <sys/socket.h>
@@ -110,12 +111,13 @@
 
 void badlogin(char *name, struct sockaddr_in *sin)
 {
-	char remotehost[32];
+	char remotehost[MAXHOSTNAMELEN];
 	struct hostent *hp = gethostbyaddr((char *)&sin->sin_addr,
 		sizeof (struct in_addr), AF_INET);
 
 	if (hp) {
 		strncpy(remotehost, hp->h_name, sizeof (remotehost));
+		remotehost[sizeof(remotehost)-1] = '\0';
 		endhostent();
 	} else
 		strncpy(remotehost, inet_ntoa(sin->sin_addr),
@@ -237,7 +239,7 @@
 void dologin(struct passwd *pw, struct sockaddr_in *sin)
 {
 	char line[32];
-	char remotehost[32];
+	char remotehost[MAXHOSTNAMELEN];
 	int f;
 	time_t cur_time;
 	struct hostent *hp = gethostbyaddr((char *)&sin->sin_addr,
@@ -245,6 +247,7 @@
 
 	if (hp) {
 		strncpy(remotehost, hp->h_name, sizeof (remotehost));
+		remotehost[sizeof(remotehost)-1] = '\0';
 		endhostent();
 	} else
 		strncpy(remotehost, inet_ntoa(sin->sin_addr),
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: mpp 
Responsible-Changed-When: Sat Jan 25 23:17:13 PST 1997 
Responsible-Changed-Why:  
Misfiled PR. 
State-Changed-From-To: open->closed 
State-Changed-By: mpp 
State-Changed-When: Tue Apr 8 13:36:52 PDT 1997 
State-Changed-Why:  
Part of this was fixed by a previous commit to make the 
host name buffer larger.  I just commited a fix to fix 
the one remaining problem. 
>Unformatted:
