Package: minicom Version: 2.1-9 Severity: normal Tags: patch Minicom crashes when characters are inserted at the beginning of some line and the screen is very wide (160+x actually).
Steps to reproduce: Get your xterm (or whatever) wider then ~200 chars. Start minicom, connect somewhere Type something Use the arrow keys to go back to the beginning of the line Type another character Watch it crash If it didn't crash, repeat The problem lies in winschar2(). Some excerpts: ELM buf[160]; /* .. some stuff omitted .. */ len = w->xs - w->curx; memcpy(buf, gmap + COLS * y + x, sizeof(ELM) * len); w->xs is the width of the window in characters, w->curx is the current position. So if the distance between current cursor position to the right border of the window exceeds 160 characters you are in trouble, since random stuff on the stack is overwritten. This overflow could be a security risk, but I think the possibilities end at crashing minicom. I haven't checked this thoroughly, but I don't think an attacker has enough control about what gets written to execute arbitrary code. The attacker has full control about every third byte (ELM.value), but only very limited control about the others (ELM.attr, ELM.color). I see 2 ways out of this: making buf large enough so that noone will bump into that limit again sometime soon, or allocate buf dynamically via malloc, so it always has the right size. I've implemented both ways, patches are attached. Cheers, Christian Aichinger -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing'), (500, 'testing-proposed-updates'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-rc6-vs2.1.0-pre1-r20050817 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=UTF-8) Versions of packages minicom depends on: ii libc6 2.3.5-6 GNU C Library: Shared libraries an ii libncurses5 5.4-9 Shared libraries for terminal hand Versions of packages minicom recommends: pn lrzsz <none> (no description available) -- no debconf information
diff -Nurp minicom-2.1.orig/src/window.c minicom-2.1/src/window.c --- minicom-2.1.orig/src/window.c 2005-11-03 03:21:55.000000000 +0100 +++ minicom-2.1/src/window.c 2005-11-03 04:24:57.000000000 +0100 @@ -1551,7 +1551,7 @@ int move; int y; int x; int doit = 1; - ELM buf[160]; + ELM buf[1024]; ELM *e; int len, odir; int oldx;
diff -Nurp minicom-2.1.orig/src/window.c minicom-2.1/src/window.c --- minicom-2.1.orig/src/window.c 2005-11-03 03:21:55.000000000 +0100 +++ minicom-2.1/src/window.c 2005-11-03 04:29:07.000000000 +0100 @@ -1551,7 +1551,7 @@ int move; int y; int x; int doit = 1; - ELM buf[160]; + ELM *buf; ELM *e; int len, odir; int oldx; @@ -1583,6 +1583,8 @@ int move; x = w->x1 + w->curx; oldx = w->curx; len = w->xs - w->curx; + + buf = malloc(sizeof(ELM)*len); memcpy(buf, gmap + COLS * y + x, sizeof(ELM) * len); /* Now, put the new character on screen. */ @@ -1597,6 +1599,7 @@ int move; } w->direct = odir; wlocate(w, w->curx, w->cury); + free(buf); } void winschar(w)
signature.asc
Description: Digital signature
