> /* > * Telnetd AYT overflow scanner, by Security Point(R) > * Bug found by scut of TESO Security [...] > * With Security Point(R) Scanner you can find and repair the > * Vulnerabilities before the bad guys get in. Does anyone else find it as ironic as I that this code contains a..buffer overflow? > char sendbuffer[5120*2]; > bzero(sendbuffer,sizeof(sendbuffer)); > for (i=0;i!=(sizeof(sendbuffer)/2);i++) { > sprintf(sendbuffer,"%s%c%c",sendbuffer,255,246); // 0xff 0xf6 - IAC AYT > } Quite aside from the _horrible_ misuse of sprintf, this writes a NUL one byte past the end of sendbuffer[]. I sure wouldn't trust anything about my system to code from whoever wrote this. Just on a quick once-over, I see seven other things I would say are wrong with it. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouseat_private / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 15:03:53 PDT