[Devel] [ openser-Bugs-1620701 ] Buffer overflow by long lines in permissions

SourceForge.net noreply at sourceforge.net
Fri Jan 5 12:19:04 CET 2007


Bugs item #1620701, was opened at 2006-12-22 10:50
Message generated for change (Comment added) made by bastian
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1620701&group_id=139143

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: None
Status: Open
Resolution: Fixed
Priority: 5
Private: No
Submitted By: Bastian Friedrich (bastian)
Assigned to: Bogdan (bogdan_iancu)
Summary: Buffer overflow by long lines in permissions

Initial Comment:
Hi,

today a bug in OpenSER was reported on bugtraq (not found by me!):
http://www.securityfocus.com/archive/1/455097/30/0/threaded

String lengths are not properly checked in parse_expression_list (modules/permissions/parse_config.c) while copying from input variable str (up to 500 chars) to str2 (up to 100 chars).

I can reproduce the problem by using a line like
ALLLLLLL (500 L's) : ALLLLLLL (another 500 L's) in a permission file.

As the configuration file is under administrative control, no security breach is directly implied.

Best,
   Bastian


----------------------------------------------------------------------

>Comment By: Bastian Friedrich (bastian)
Date: 2007-01-05 12:19

Message:
Logged In: YES 
user_id=34841
Originator: YES

Hi Bogdan,

thx for your new patches. They seem to do the trick now :)

Regards,
  Bastian

----------------------------------------------------------------------

Comment By: Bogdan (bogdan_iancu)
Date: 2007-01-04 20:04

Message:
Logged In: YES 
user_id=1275325
Originator: NO

Hi Bastian,

I run more tests and I found a bug in matching the "ALL" keyword - all
string starting with "ALL" were matching :(.....
So, if you were using the ALLLLL (250 L), it will never try to parse as
list as the string was considered "ALL"....

try now....at least it works for me.

thanks and regards,
bogdan

----------------------------------------------------------------------

Comment By: Bastian Friedrich (bastian)
Date: 2007-01-04 19:28

Message:
Logged In: YES 
user_id=34841
Originator: YES

Hi Bogdan,

looks good (although I wonder why I'm not able to trigger the "Expression
too long" warning...?! :)

Thx,
  Bastian

----------------------------------------------------------------------

Comment By: Bogdan (bogdan_iancu)
Date: 2007-01-04 18:45

Message:
Logged In: YES 
user_id=1275325
Originator: NO

Hi Bastian,

I have just committed a patch for fixing this problem. Could you please
give it a try to see if it works? if everything ok, I will make a backport
to 1.1.0.

thanks and regards,
bogdan

----------------------------------------------------------------------

Comment By: Bogdan (bogdan_iancu)
Date: 2006-12-22 12:35

Message:
Logged In: YES 
user_id=1275325
Originator: NO

Hi Bastian,

actually is more than this - there are also no check when copying from
file to the line buffer (500 chars max). Looks like there is a lot of work
to be done there.

Thanks for report - we will take care of it.

regards,
bogdan

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1620701&group_id=139143



More information about the Devel mailing list