From kerberos-acl@MIT.EDU Thu Oct 28 15:30:20 1999
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id PAA22917 for <bugs@RT-11.MIT.EDU>; Thu, 28 Oct 1999 15:30:19 -0400
Received: from GRAND-CENTRAL-STATION.MIT.EDU by MIT.EDU with SMTP
id AA03437; Thu, 28 Oct 99 15:30:35 EDT
Received: from melbourne-city-street.MIT.EDU (MELBOURNE-CITY-STREET.MIT.EDU [18.69.0.45])
by grand-central-station.MIT.EDU (8.9.2/8.9.2) with ESMTP id PAA28224
for <krb5-bugs@MIT.EDU>; Thu, 28 Oct 1999 15:25:58 -0400 (EDT)
Received: from mint-square.mit.edu (MINT-SQUARE.MIT.EDU [18.184.0.36])
by melbourne-city-street.MIT.EDU (8.9.3/8.9.2) with ESMTP id PAA01234
for <krb5-bugs@MIT.EDU>; Thu, 28 Oct 1999 15:25:57 -0400 (EDT)
Received: (from klmitch@localhost) by mint-square.mit.edu (8.9.3)
id PAA29691; Thu, 28 Oct 1999 15:25:57 -0400 (EDT)
Message-Id: <199910281925.PAA29691@mint-square.mit.edu>
Date: Thu, 28 Oct 1999 15:25:57 -0400
From: Kev <klmitch@MIT.EDU>
To: krb5-bugs@MIT.EDU
Subject: default_com_err_proc possible overflow?
------- Begin code snippet, src/util/et/com_err.c
#if defined(_MSDOS) || defined(_WIN32) || defined(macintosh)
char errbuf[1024] = "";
if (whoami) {
strcat (errbuf, whoami);
strcat (errbuf, ": ");
}
if (code) {
strcat (errbuf, error_message(code));
strcat (errbuf, " ");
}
if (fmt)
vsprintf (errbuf + strlen (errbuf), fmt, ap);
------- End code snippet
This could potentially result in overflows. This is from the 1.1 sources;
I couldn't manage to grab the cvs sources...
--
Kevin L. Mitchell <klmitch@mit.edu>
------------------------- -. .---- --.. ..- -..- --------------------------
http://web.mit.edu/klmitch/www/ (PGP keys availiable from here)
RSA AE87D37D/1024: DE EA 1E 99 3F 2B F9 23 A0 D8 05 E0 6F BA B9 D2
DSS ED0DB34E/1024: D9BF 0E74 FDCB 43F5 C597 878F 9455 EC24 ED0D B34E
DH 2A2C31D4/2048: 1A77 4BA5 9E32 14AE 87DA 9FEC 7106 FC62 2A2C 31D4
Responsible-Changed-From-To: gnats-admin->krb5-unassigned
Responsible-Changed-By: raeburn
Responsible-Changed-When: Tue Feb 22 16:39:48 2000
Responsible-Changed-Why:
reformat, set category
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id PAA22917 for <bugs@RT-11.MIT.EDU>; Thu, 28 Oct 1999 15:30:19 -0400
Received: from GRAND-CENTRAL-STATION.MIT.EDU by MIT.EDU with SMTP
id AA03437; Thu, 28 Oct 99 15:30:35 EDT
Received: from melbourne-city-street.MIT.EDU (MELBOURNE-CITY-STREET.MIT.EDU [18.69.0.45])
by grand-central-station.MIT.EDU (8.9.2/8.9.2) with ESMTP id PAA28224
for <krb5-bugs@MIT.EDU>; Thu, 28 Oct 1999 15:25:58 -0400 (EDT)
Received: from mint-square.mit.edu (MINT-SQUARE.MIT.EDU [18.184.0.36])
by melbourne-city-street.MIT.EDU (8.9.3/8.9.2) with ESMTP id PAA01234
for <krb5-bugs@MIT.EDU>; Thu, 28 Oct 1999 15:25:57 -0400 (EDT)
Received: (from klmitch@localhost) by mint-square.mit.edu (8.9.3)
id PAA29691; Thu, 28 Oct 1999 15:25:57 -0400 (EDT)
Message-Id: <199910281925.PAA29691@mint-square.mit.edu>
Date: Thu, 28 Oct 1999 15:25:57 -0400
From: Kev <klmitch@MIT.EDU>
To: krb5-bugs@MIT.EDU
Subject: default_com_err_proc possible overflow?
Show quoted text
>Number: 781
>Category: krb5-libs
>Synopsis: default_com_err_proc possible overflow?
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Oct 28 15:31:01 EDT 1999
>Last-Modified: Tue Feb 22 16:39:58 EST 2000
>Originator: Kev <klmitch@MIT.EDU>
>Organization:
>Release:
>Environment:
>Description:
In default_com_err_proc(), we have the following code:>Category: krb5-libs
>Synopsis: default_com_err_proc possible overflow?
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Oct 28 15:31:01 EDT 1999
>Last-Modified: Tue Feb 22 16:39:58 EST 2000
>Originator: Kev <klmitch@MIT.EDU>
>Organization:
>Release:
>Environment:
>Description:
------- Begin code snippet, src/util/et/com_err.c
#if defined(_MSDOS) || defined(_WIN32) || defined(macintosh)
char errbuf[1024] = "";
if (whoami) {
strcat (errbuf, whoami);
strcat (errbuf, ": ");
}
if (code) {
strcat (errbuf, error_message(code));
strcat (errbuf, " ");
}
if (fmt)
vsprintf (errbuf + strlen (errbuf), fmt, ap);
------- End code snippet
This could potentially result in overflows. This is from the 1.1 sources;
I couldn't manage to grab the cvs sources...
--
Kevin L. Mitchell <klmitch@mit.edu>
------------------------- -. .---- --.. ..- -..- --------------------------
http://web.mit.edu/klmitch/www/ (PGP keys availiable from here)
RSA AE87D37D/1024: DE EA 1E 99 3F 2B F9 23 A0 D8 05 E0 6F BA B9 D2
DSS ED0DB34E/1024: D9BF 0E74 FDCB 43F5 C597 878F 9455 EC24 ED0D B34E
DH 2A2C31D4/2048: 1A77 4BA5 9E32 14AE 87DA 9FEC 7106 FC62 2A2C 31D4
Show quoted text
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Fix:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->krb5-unassigned
Responsible-Changed-By: raeburn
Responsible-Changed-When: Tue Feb 22 16:39:48 2000
Responsible-Changed-Why:
reformat, set category
Show quoted text
>Unformatted: