From Cy.Schubert@uumail.gov.bc.ca  Wed Dec  9 05:10:54 1998
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA13309
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 9 Dec 1998 05:10:53 -0800 (PST)
          (envelope-from Cy.Schubert@uumail.gov.bc.ca)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.9.1/8.8.8) id FAA06003
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 9 Dec 1998 05:10:43 -0800
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda06001; Wed Dec  9 05:10:29 1998
Received: (from cschuber@localhost)
	by passer.osg.gov.bc.ca (8.9.1/8.9.1) id FAA09756;
	Wed, 9 Dec 1998 05:10:28 -0800 (PST)
Message-Id: <199812091310.FAA09756@passer.osg.gov.bc.ca>
Date: Wed, 9 Dec 1998 05:10:28 -0800 (PST)
From: Cy Schubert <Cy.Schubert@uumail.gov.bc.ca>
Reply-To: cschuber@uumail.gov.bc.ca
To: FreeBSD-gnats-submit@freebsd.org
Subject: bootpd.c buffer overrun
X-Send-Pr-Version: 3.2

>Number:         9031
>Category:       bin
>Synopsis:       OpenBSD fix to bootpd remote root exploit
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Dec  9 05:20:01 PST 1998
>Closed-Date:    Sat Dec 12 12:57:32 PST 1998
>Last-Modified:  Sat Dec 12 12:59:04 PST 1998
>Originator:     Cy Schubert
>Release:        FreeBSD 2.2.8-RELEASE i386
>Organization:
ITSD, Province of BC
>Environment:

	FreeBSD passer.osg.gov.bc.ca 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE #0: Thu Dec  3 08:25:32 PST 1998     root@passer.osg.gov.bc.ca:/opt/usr_src-228/src/sys/compile/PASSER  i386

	Supplied patch will apply cleanly to 3.0 tree.

>Description:

	Buffer overrun condition in bootpd.c can be remotely exploited
	to obtain unauthorized root privilege.

>How-To-Repeat:

	Exploit code unavailable to me.

>Fix:
	
	The following patch will apply cleanly to 2.2 and 3.0 CVS trees.
	Thanks to Theo de Raadt for creating the OpenBSD patch, which
	this patch is based on.

	--- /usr/src/libexec/bootpd/bootpd.c	Sat Jul 18 23:52:58 1998
	+++ /tmp/bootpd.c	Wed Dec  9 04:56:55 1998
	@@ -833,7 +833,8 @@
	 	 * daemon chroot directory (i.e. /tftpboot).
	 	 */
	 	if (hp->flags.tftpdir) {
	-		strcpy(realpath, hp->tftpdir->string);
	+		strncpy(realpath, hp->tftpdir->string,sizeofr(realpath-1));
	+		realpath[sizeof(realpath-1)] = '\0';
	 		clntpath = &realpath[strlen(realpath)];
	 	} else {
	 		realpath[0] = '\0';

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: dillon 
State-Changed-When: Sat Dec 12 12:57:32 PST 1998 
State-Changed-Why:  
Committed patch to -current converting unbounded strcpy() to an snprintf() 
>Unformatted:
