Hi!
> I have recently found a buffer overflow in a TetriNet daemon for Linux
> called "Tetrix". To exploit this bug, you will need a hostname longer than
> 122 characters, and any method of connecting to the host on port 31457.
> Once you are connected, the overflow should take place.
>
> here is the patch!
...which does not work.
> diff -ru tetrinetx-1.13.16.orig/src/net.c tetrinetx-1.13.16/src/net.c
> --- tetrinetx-1.13.16.orig/src/net.c Thu Dec 24 00:24:50 1998
> +++ tetrinetx-1.13.16/src/net.c Sun Feb 14 16:22:11 1999
> @@ -250,15 +250,17 @@
> unsigned long ip;
> {
> struct hostent *hp; unsigned long addr=ip;
> - unsigned char *p; static char s[121];
> -/* alarm(10);*/
> + unsigned char *p; static char s[UHOSTLEN];
> +
> hp=gethostbyaddr((char *)&addr,sizeof(addr),AF_INET); /*alarm(0);*/
> if (hp==NULL) {
> p=(unsigned char *)&addr;
> sprintf(s,"%u.%u.%u.%u",p[0],p[1],p[2],p[3]);
> return s;
> }
> - strcpy(s,hp->h_name); return s;
> + strncpy(s,hp->h_name,(UHOSTLEN-1));
> + s[strlen(s)]='\0';
> + return s;
If s is not null-terminated after strncpy...
The strncpy() function is similar, except that not more
than n bytes of src are copied. Thus, if there is no null
byte among the first n bytes of src, the result wil not be
null-terminated.
...then s[strlen(s)]='\0'; will not help it - because strlen() looks
for \0 :-).
s[UHOSTLEN-1]='\0'; would be correct.
Pavel
--
I'm really pavelat_private Pavel
Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:13 PDT