2 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Buffer Overflow i...
FromSent OnAttachments
Eric SchultzMay 23, 2007 7:06 am 
Gordon MessmerMay 25, 2007 11:17 pm.patch
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:Re: [courier-users] Buffer Overflow in authmksock on x86_64Actions...
From:Gordon Messmer (yiny@eburg.com)
Date:May 25, 2007 11:17:48 pm
List:net.sourceforge.lists.courier-users
Attachments:

Eric Schultz wrote:

When compiling courier-authlib on CentOS5 (after installing the redhat-rpm-config package.) I recieved a Buffer overflow in authmksock.

The overflow occurs when the path to sock is sufficiently long. (My build directory is rather deeply nested.)

The workaround was to make sure the path it was to use when compiling was shorter. (by moving my build directory.)

You can't actually make mkauthsock work if the path is that long, so making it not SEGV is of questionable value.

All the same, this patch will do that.

--- authmksock.c.orig 2007-05-25 23:15:54.000000000 -0700 +++ authmksock.c 2007-05-25 23:15:57.000000000 -0700 @@ -21,6 +21,10 @@ #define SOMAXCONN 5 #endif

+#ifndef UNIX_PATH_MAX +#define UNIX_PATH_MAX 108 +#endif + int main(int argc, char *argv[]) { int fd=socket(PF_UNIX, SOCK_STREAM, 0); @@ -29,6 +33,7 @@ if (argc < 2) exit(1); if (fd < 0) exit(1); skun.sun_family=AF_UNIX; + if (strlen(argv[1]) >= UNIX_PATH_MAX - 1) exit(1); strcpy(skun.sun_path, argv[1]); unlink(skun.sun_path); if (bind(fd, (const struct sockaddr *)&skun, sizeof(skun)) ||