Hi! > I have recently found a buffer overflow in a TetriNet daemon for Linux > called "Tetrix". To exploit this bug, you will need a hostname longer than > 122 characters, and any method of connecting to the host on port 31457. > Once you are connected, the overflow should take place. > > here is the patch! ...which does not work. > diff -ru tetrinetx-1.13.16.orig/src/net.c tetrinetx-1.13.16/src/net.c > --- tetrinetx-1.13.16.orig/src/net.c Thu Dec 24 00:24:50 1998 > +++ tetrinetx-1.13.16/src/net.c Sun Feb 14 16:22:11 1999 > @@ -250,15 +250,17 @@ > unsigned long ip; > { > struct hostent *hp; unsigned long addr=ip; > - unsigned char *p; static char s[121]; > -/* alarm(10);*/ > + unsigned char *p; static char s[UHOSTLEN]; > + > hp=gethostbyaddr((char *)&addr,sizeof(addr),AF_INET); /*alarm(0);*/ > if (hp==NULL) { > p=(unsigned char *)&addr; > sprintf(s,"%u.%u.%u.%u",p[0],p[1],p[2],p[3]); > return s; > } > - strcpy(s,hp->h_name); return s; > + strncpy(s,hp->h_name,(UHOSTLEN-1)); > + s[strlen(s)]='\0'; > + return s; If s is not null-terminated after strncpy... The strncpy() function is similar, except that not more than n bytes of src are copied. Thus, if there is no null byte among the first n bytes of src, the result wil not be null-terminated. ...then s[strlen(s)]='\0'; will not help it - because strlen() looks for \0 :-). s[UHOSTLEN-1]='\0'; would be correct. Pavel -- I'm really pavelat_private Pavel Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:13 PDT