Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: audit-dead > lib > 97 > 020000.html (Request Expert audit-dead Support)

tgetent

From: Aaron Bornstein <aaronb(at)j51.com>
Date: Sat Feb 15 1997 - 22:07:28 EST

        Hey, I know I'm not on the lib team, but I found and patched a bug in libtermcap, so I thought I should let you guys know :) There's a buffer overflow in tgetent under certain circumstances, circumstances which are easy for a cracker to influence.

Here's the patch, it's untested, so I won't guarantee anything: --- libtermcap/termcap.c.old Sat Feb 15 20:01:15 1997 +++ libtermcap/termcap.c Sat Feb 15 20:00:45 1997 @@ -35,19 +35,20 @@
 static char sccsid[] = "@(#)termcap.c 8.1 (Berkeley) 6/4/93";
#endif /* not lint */
  

-#define        PBUFSIZ         512     /* max length of filename path */
-#define        PVECSIZ         32      /* max number of names in path */
-#define TBUFSIZ         1024    /* max length of tgetent buffer */
-

 #include <stdio.h>

 #include <ctype.h>

 #include <stdlib.h>

 #include <string.h>

 #include 


 #include 


+#include          /* MAXPATHLEN */

#include "termcap.h"
#include "pathnames.h"
  
+#define        PBUFSIZ         MAXPATHLEN      /* max length of filename path */
+#define        PVECSIZ         32      /* max number of names in path */
+#define TBUFSIZ         1024    /* max length of tgetent buffer */
+

 extern void __set_ospeed(speed_t speed);  

 /*
@@ -101,19 +102,23 @@

  • becomes "$HOME/.termcap /etc/termcap" if no TERMPATH exists. */ if (!cp || *cp != '/') { /* no TERMCAP or it holds an entry */ - if (termpath = getenv("TERMPATH")) + if (termpath = getenv("TERMPATH")) { strncpy(pathbuf, termpath, PBUFSIZ); - else { - if (home = getenv("HOME")) { /* set up default */ - p += strlen(home); /* path, looking in */ - strcpy(pathbuf, home); /* $HOME first */ - *p++ = '/'; + pathbuf[PBUFSIZ-1] = '\0'; + } else { + /* set up default path */ + if (home = getenv("HOME")) { + sprintf(pathbuf, "%.*s/", PBUFSIZ-2, home); + p += strlen(pathbuf); } /* if no $HOME look in current directory */ strncpy(p, _PATH_DEF, PBUFSIZ - (p - pathbuf)); + pathbuf[PBUFSIZ-1] = '\0'; } } - else /* user-defined name in TERMCAP */ + else { /* user-defined name in TERMCAP */ strncpy(pathbuf, cp, PBUFSIZ); /* still can be tokenized */ + pathbuf[PBUFSIZ-1] = '\0'; + } 
        *fname++ = pathbuf;     /* tokenize path into vector of names */
        while (*++p)


					--Aaron
Received on Sat Feb 15 19:07:15 1997

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:41:03 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library