Package: net-tools
Version: 1.60-17
Severity: normal
Hello,
recently I noticed the following bits of code in the source file
net-tools-1.60/ipmaddr.c:
...
char filter_dev[16];
...
static int multiaddr_list(int argc, char **argv)
{
struct ma_info *list = NULL;
while (argc > 0) {
if (strcmp(*argv, "dev") == 0) {
NEXT_ARG();
if (filter_dev[0])
usage();
strcpy(filter_dev, *argv);
} else if ...
...
} else {
if (filter_dev[0])
usage();
strcpy(filter_dev, *argv);
}
argv++; argc--;
}
}
...
int do_multiaddr(int argc, char **argv)
{
...
if (matches(*argv, "list") == 0 || matches(*argv, "show") == 0
|| matches(*argv, "lst") == 0)
return multiaddr_list(argc-1, argv+1);
usage();
}
...
int main(int argc, char **argv)
{
...
return do_multiaddr(argc-1, argv+1);
}
If you follow the calling chain, you can see that for calls like
ipmaddr show dev aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
command line arguments are copied into the 16 bytes long buffer
'filter_dev' using 'strcpy' without any length checks. This leads to
a buffer overflow.
I did not check whether this is exploitable in any form, but it would
be nice if this could be fixed anyway.
I hope this helps,
Jochen
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.13
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Versions of packages net-tools depends on:
ii libc6 2.3.6.ds1-6 GNU C Library: Shared libraries
net-tools recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
