Package: p0f
Version: 2.0.5-1
Severity: normal
File: /usr/sbin/p0f
Hello,
recently I discovered the following bit of code in the source file
p0f-2.0.5/p0f.c (function main):
_u8 buf[MAXLINE*4];
...
if (argv[optind] && *(argv[optind])) {
sprintf(buf,"(%s) and (%3000s)",use_rule,argv[optind]);
use_rule = buf;
}
where MAXLINE is set to 1024. While this seems to try to prevent the
buffer 'buf' from overflowing by using the format string "%3000s", it
fails to do so. The number 3000, when used in the way above, gives
the minimum field width. Probably the intention was to write
"%.3000s" instead. This leads to a buffer overflow when the command
line argument is longer than approx 4096 character.
Probably the following crash is a symptom of this bug:
[EMAIL PROTECTED] [/mnt/source] /usr/sbin/p0f $(python -c 'print "a"*9999')
p0f - passive os fingerprinting utility, version 2.0.5
(C) M. Zalewski <[EMAIL PROTECTED]>, W. Stearns <[EMAIL PROTECTED]>
Segmentation fault
I hope this helps,
Jochen
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.13
Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15)
Versions of packages p0f depends on:
ii libc6 2.3.6.ds1-6 GNU C Library: Shared libraries
ii libpcap0.7 0.7.2-7 System interface for user-level pa
p0f recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
