[Devel] [ openser-Bugs-1620701 ] Buffer overflow by long lines in permissions

SourceForge.net noreply at sourceforge.net
Thu Jan 4 18:45:48 CET 2007 

Bugs item #1620701, was opened at 2006-12-22 11:50
Message generated for change (Comment added) made by bogdan_iancu
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1620701&group_id=139143

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: None
Status: Open
>Resolution: Fixed
Priority: 5
Private: No
Submitted By: Bastian Friedrich (bastian)
>Assigned to: Bogdan (bogdan_iancu)
Summary: Buffer overflow by long lines in permissions

Initial Comment:
Hi,

today a bug in OpenSER was reported on bugtraq (not found by me!):
http://www.securityfocus.com/archive/1/455097/30/0/threaded

String lengths are not properly checked in parse_expression_list (modules/permissions/parse_config.c) while copying from input variable str (up to 500 chars) to str2 (up to 100 chars).

I can reproduce the problem by using a line like
ALLLLLLL (500 L's) : ALLLLLLL (another 500 L's) in a permission file.

As the configuration file is under administrative control, no security breach is directly implied.

Best,
   Bastian


----------------------------------------------------------------------

>Comment By: Bogdan (bogdan_iancu)
Date: 2007-01-04 19:45

Message:
Logged In: YES 
user_id=1275325
Originator: NO

Hi Bastian,

I have just committed a patch for fixing this problem. Could you please
give it a try to see if it works? if everything ok, I will make a backport
to 1.1.0.

thanks and regards,
bogdan

----------------------------------------------------------------------

Comment By: Bogdan (bogdan_iancu)
Date: 2006-12-22 13:35

Message:
Logged In: YES 
user_id=1275325
Originator: NO

Hi Bastian,

actually is more than this - there are also no check when copying from
file to the line buffer (500 chars max). Looks like there is a lot of work
to be done there.

Thanks for report - we will take care of it.

regards,
bogdan

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1620701&group_id=139143

More information about the Devel mailing list