----- Forwarded message from "Anibal L. Sacco" <[EMAIL PROTECTED]> -----
From: "Anibal L. Sacco" <[EMAIL PROTECTED]>
Date: Thu, 06 Apr 2006 20:18:44 -0300
To: Joey Hess <[EMAIL PROTECTED]>
Subject: Re: Bug#360989: Multiple buffer overflows in BSDgames 2.17-1 and
privileges escalation vulnerability.
User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)
Joey Hess wrote:
>Anibal L. Sacco wrote:
>
>
>>The vulnerabilities are caused due to boundary errors when reading
>>the player's name in pl_main.c
>>
>>code segment:
>>printf("Your name, Captain? ");
>> fflush(stdout);
>> fgets(captain, sizeof captain, stdin);
>> if (!*captain)
>> strcpy(captain, "no name");
>> else
>> captain[strlen(captain) - 1] = '\0';
>> }
>>
>>Being captain initialized as: char captain[80].
>>
>>
>
>sizeof(captain) is 80 so fgets reads in at most 79 characters. The trailing
>NULL will be added as the 80th character which still seems to be within
>the array size to me.
>
>
>
>>There is some similar issues in Tetris, and Hack too.
>>
>>
>
>Well feel free to provide the details of those issues.
>
>
>
My mystake.. this is the vulnerable code.
char buf[10];
printf("\nInitial broadside %s (grape, chain, round, double): ", n ?
"right" : "left");
fflush(stdout);
scanf("%s", buf);
Cheers
----- End forwarded message -----
--
see shy jo
signature.asc
Description: Digital signature
