Package: tftpd-hpa Version: 0.40-4 Severity: normal Tags: security Here's a bugtraq post that describes security holes in a different tftp daemon: http://marc.theaimsgroup.com/?l=bugtraq&m=109882085912915&w=2
It posits that a rouge dns server on the network could give the tftp
daemon bad data, and possibly overflow a buffer with it when it's copied
from the gethostbyname data structure.
I checked various tftp daemons in debian and only tftpd-hpa seems to be
potentially vulnerable to this problem:
struct sockaddr_in bindaddr;
...
hostent = gethostbyname(address);
...
memcpy(&bindaddr.sin_addr, hostent->h_addr, hostent->h_length);
Here if hostent->h_length is larger than the size of bindaddr.sin_addr,
there can be a buffer overflow.
It's worth noting that atftpd has some code to check for such a problem:
if (host->h_length > sizeof(data.sa_peer.sin_addr))
host->h_length = sizeof(data.sa_peer.sin_addr);
memcpy(&data.sa_peer.sin_addr, host->h_addr, host->h_length);
I have no idea if this is exploitable. For all I know, h_length could be
sanitised in libc before it gets here, etc. I haven't tried to exploit it.
It does seem easy enough to add a check like atftpd's to tftpd-hpa, and stop
worrying about the potential problem.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages tftpd-hpa depends on:
ii debconf 1.4.45 Debian configuration management sy
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libwrap0 7.6.dbs-6 Wietse Venema's TCP wrappers libra
-- debconf information excluded
--
see shy jo
signature.asc
Description: Digital signature
