Patch for amd. Prevent remote users from executing arbitrary code as root in the amd daemon context.
90eb9d58c8d1ac2665e015cc26a337f33de00361023b565d00bf182ab2bf0db0-----BEGIN PGP SIGNED MESSAGE-----
Index: xutil.c
===================================================================
RCS file: /home/ncvs/src/contrib/amd/libamu/xutil.c,v
retrieving revision 1.1.1.3
retrieving revision 1.1.1.3.2.1
diff -u -r1.1.1.3 -r1.1.1.3.2.1
--- xutil.c 1999/01/13 19:20:33 1.1.1.3
+++ xutil.c 1999/08/25 18:59:39 1.1.1.3.2.1
@@ -272,16 +272,18 @@
/*
* Take a log format string and expand occurrences of %m
- * with the current error code taken from errno.
+ * with the current error code taken from errno. Make sure
+ * 'e' never gets longer than maxlen characters.
*/
static void
-expand_error(char *f, char *e)
+expand_error(char *f, char *e, int maxlen)
{
extern int sys_nerr;
- char *p;
+ char *p, *q;
int error = errno;
+ int len = 0;
- for (p = f; (*e = *p); e++, p++) {
+ for (p = f, q = e; (*q = *p) && len < maxlen; len++, q++, p++) {
if (p[0] == '%' && p[1] == 'm') {
const char *errstr;
if (error < 0 || error >= sys_nerr)
@@ -289,13 +291,15 @@
else
errstr = sys_errlist[error];
if (errstr)
- strcpy(e, errstr);
+ strcpy(q, errstr);
else
- sprintf(e, "Error %d", error);
- e += strlen(e) - 1;
+ sprintf(q, "Error %d", error);
+ len += strlen(q) - 1;
+ q += strlen(q) - 1;
p++;
}
}
+ e[maxlen-1] = '\0'; /* null terminate, to be sure */
}
@@ -401,9 +405,15 @@
checkup_mem();
#endif /* DEBUG_MEM */
- expand_error(fmt, efmt);
+ expand_error(fmt, efmt, 1024);
+ /*
+ * XXX: ptr is 1024 bytes long. It is possible to write into it
+ * more than 1024 bytes, if efmt is already large, and vargs expand
+ * as well.
+ */
vsprintf(ptr, efmt, vargs);
+ msg[1023] = '\0'; /* null terminate, to be sure */
ptr += strlen(ptr);
if (ptr[-1] == '\n')
Index: amq_subr.c
===================================================================
RCS file: /home/imp/FreeBSD/CVS/src/contrib/amd/amd/amq_subr.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- amq_subr.c 1999/01/13 20:03:54 1.3
+++ amq_subr.c 1999/09/07 23:07:03 1.4
@@ -204,11 +204,24 @@
int *
amqproc_mount_1_svc(voidp argp, struct svc_req *rqstp)
{
- static int rc;
- char *s = *(amq_string *) argp;
+ static int rc = EINVAL;
+ char s[AMQ_STRLEN];
char *cp;
+ char dq[20];
+ struct sockaddr_in *sin;
+
+ if ((sin = amu_svc_getcaller(rqstp->rq_xprt)) == NULL) {
+ plog(XLOG_ERROR, "amu_svc_getcaller returned NULL");
+ return &rc;
+ }
+
+ strncpy(s, *(amq_string *) argp, AMQ_STRLEN-1);
+ s[AMQ_STRLEN-1] = '\0'; /* null terminate, to be sure */
+ plog(XLOG_ERROR,
+ "amq requested mount of %s from %s.%d",
+ s, inet_dquad(dq, sin->sin_addr.s_addr),
+ ntohs(sin->sin_port));
- plog(XLOG_INFO, "amq requested mount of %s", s);
/*
* Minimalist security check.
*/
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQCVAwUBN+VNOVUuHi5z0oilAQGELgP/aMopeczE5TqvOVnNQCpv2dWX8klnFEhn
K2TVhpLw0HoJHASWEtalMznxCLe/CzAdw/NmYiqrKeletHL1tfclbbS1+TLPW7tB
p2iN5iQQfaczD95fJip7St4hrPxgSE/kvIHa92YAoa6i1A1JOsM5o5tlUC4kJiiY
n/ORSJvPlb0=
=APcV
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed