Package: dhcp-client
Version: 2.0pl5-19.4
Severity: normal
Hi,
recently I noticed the following bits of code in the source file
dhcp-2.0pl5/client/dhclient.c:
int main (argc, argv, envp)
int argc;
char **argv, **envp;
{
...
for (i = 1; i < argc; i++) {
if (!strcmp (argv [i], "-p")) {
...
} else {
struct interface_info *tmp =
((struct interface_info *)
dmalloc (sizeof *tmp, "specified_interface"));
if (!tmp)
error ("Insufficient memory to %s %s",
"record interface", argv [i]);
memset (tmp, 0, sizeof *tmp);
strcpy (tmp -> name, argv [i]);
...
}
}
...
}
The 'strcpy' copies the command line argument into the 16 byte long
buffer 'tmp->name' without any length check. This leads to a buffer
overflow.
Probably the following error message is a symptom of this problem:
[EMAIL PROTECTED] [~] /sbin/dhclient $(python -c 'print "a"*2000')
Internet Software Consortium DHCP Client 2.0pl5
Copyright 1995, 1996, 1997, 1998, 1999 The Internet Software Consortium.
All rights reserved.
Please contribute if you find this software useful.
For info, please visit http://www.isc.org/dhcp-contrib.html
*** glibc detected *** realloc(): invalid next size: 0x0806e868 ***
Aborted
I did not check whether this is exploitable in any way, but probably
this should be fixed anyway.
I hope this helps,
Jochen
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.13
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Versions of packages dhcp-client depends on:
ii libc6 2.3.6.ds1-6 GNU C Library: Shared libraries
dhcp-client recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
