> /*
> * Telnetd AYT overflow scanner, by Security Point(R)
> * Bug found by scut of TESO Security
[...]
> * With Security Point(R) Scanner you can find and repair the
> * Vulnerabilities before the bad guys get in.
Does anyone else find it as ironic as I that this code contains
a..buffer overflow?
> char sendbuffer[5120*2];
> bzero(sendbuffer,sizeof(sendbuffer));
> for (i=0;i!=(sizeof(sendbuffer)/2);i++) {
> sprintf(sendbuffer,"%s%c%c",sendbuffer,255,246); // 0xff 0xf6 - IAC AYT
> }
Quite aside from the _horrible_ misuse of sprintf, this writes a NUL
one byte past the end of sendbuffer[].
I sure wouldn't trust anything about my system to code from whoever
wrote this. Just on a quick once-over, I see seven other things I
would say are wrong with it.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouseat_private
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 15:03:53 PDT