[Devel] [ openser-Bugs-1620701 ] Buffer overflow by long lines in
permissions
SourceForge.net
noreply at sourceforge.net
Thu Jan 4 20:04:01 CET 2007
Bugs item #1620701, was opened at 2006-12-22 11:50
Message generated for change (Comment added) made by bogdan_iancu
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1620701&group_id=139143
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: None
Status: Open
Resolution: Fixed
Priority: 5
Private: No
Submitted By: Bastian Friedrich (bastian)
Assigned to: Bogdan (bogdan_iancu)
Summary: Buffer overflow by long lines in permissions
Initial Comment:
Hi,
today a bug in OpenSER was reported on bugtraq (not found by me!):
http://www.securityfocus.com/archive/1/455097/30/0/threaded
String lengths are not properly checked in parse_expression_list (modules/permissions/parse_config.c) while copying from input variable str (up to 500 chars) to str2 (up to 100 chars).
I can reproduce the problem by using a line like
ALLLLLLL (500 L's) : ALLLLLLL (another 500 L's) in a permission file.
As the configuration file is under administrative control, no security breach is directly implied.
Best,
Bastian
----------------------------------------------------------------------
>Comment By: Bogdan (bogdan_iancu)
Date: 2007-01-04 21:04
Message:
Logged In: YES
user_id=1275325
Originator: NO
Hi Bastian,
I run more tests and I found a bug in matching the "ALL" keyword - all
string starting with "ALL" were matching :(.....
So, if you were using the ALLLLL (250 L), it will never try to parse as
list as the string was considered "ALL"....
try now....at least it works for me.
thanks and regards,
bogdan
----------------------------------------------------------------------
Comment By: Bastian Friedrich (bastian)
Date: 2007-01-04 20:28
Message:
Logged In: YES
user_id=34841
Originator: YES
Hi Bogdan,
looks good (although I wonder why I'm not able to trigger the "Expression
too long" warning...?! :)
Thx,
Bastian
----------------------------------------------------------------------
Comment By: Bogdan (bogdan_iancu)
Date: 2007-01-04 19:45
Message:
Logged In: YES
user_id=1275325
Originator: NO
Hi Bastian,
I have just committed a patch for fixing this problem. Could you please
give it a try to see if it works? if everything ok, I will make a backport
to 1.1.0.
thanks and regards,
bogdan
----------------------------------------------------------------------
Comment By: Bogdan (bogdan_iancu)
Date: 2006-12-22 13:35
Message:
Logged In: YES
user_id=1275325
Originator: NO
Hi Bastian,
actually is more than this - there are also no check when copying from
file to the line buffer (500 chars max). Looks like there is a lot of work
to be done there.
Thanks for report - we will take care of it.
regards,
bogdan
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1620701&group_id=139143
More information about the Devel
mailing list