Re: Overflows in minicom

From: Alan Cox (alanat_private)
Date: Sun May 10 1998 - 16:40:15 PDT

Next message: Hank Leininger: "Re: Samba problems"

Previous message: Matt Carter: "Re: nestea2 and HP Jet Direct cards."
Maybe in reply to: Tiago F P Rodrigues: "Overflows in minicom"
Next in thread: Tiago F P Rodrigues: "Re: Overflows in minicom"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>  It seems minicom(distributed with slak3.4) have some overflow
> vulnerabilities, namely in the '-p' switch and when you pick a config
> file on the arguments. (a strcpy and a sprintf)
>
>  you may test it with:
>   $ minicom -p/dev/ttyp`perl -e =B4print "A" x 2500=B4`
>     (Some garbage)
>     Segmentation fault

That appears to be an understatment at least with minicom 1.81. I've just
been through doing the usual snprintfing etc. It has stuff like

        strcpy(buffer, getenv("TERM"))

in it.

Its also got a few I8N buffer overruns. This is something that seems to be
creeping into code as people update it. When you go from

        char buf[31];
        sprintf(buf,"Hello %.30s",x)

to

        char buf[31];
        sprintf(buf, _("Hello %.10s"), x)

you blow your protection since a user can set the NLSPATH and catalogs and
translate catalogs so that "Hello %.10s" becomes "%s"  opening up an
attack point.

Alan

Next message: Hank Leininger: "Re: Samba problems"
Previous message: Matt Carter: "Re: nestea2 and HP Jet Direct cards."
Maybe in reply to: Tiago F P Rodrigues: "Overflows in minicom"
Next in thread: Tiago F P Rodrigues: "Re: Overflows in minicom"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:53:07 PDT