[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030814190519.19809.qmail@www.securityfocus.com>
Date: 14 Aug 2003 19:05:19 -0000
From: Vade 79 <v9@...ehalo.deadpig.org>
To: bugtraq@...urityfocus.com
Subject: Re: PST Linux Advisor--------Dsh-0.24.0 in debian has a home env
Buffer Overflow Vulnerability
In-Reply-To: <20030810011227.5888.qmail@....securityfocus.com>
> ssize_t buflen = 50 * strlen(fmt); /* pick a number, any number
>*/.............lol
> *strp = malloc(buflen);
>
> if (*strp)
> {
> va_list ap;
> va_start(ap, fmt);
> vsnprintf(*strp, buflen, fmt,
ap);..................................lol
>getenv("HOME") >50*strlen(%s/.dsh/dsh.conf) ......buf overflow......
how do you figure? it uses the same buflen value to limit the amount
written to the buffer in the vsnprintf call as it was allocated(cept
didn't add space for the null byte)? am i missing something?
Powered by blists - more mailing lists