[vchkpw] vchkpw webmailips traversal bug
In vchkpw, you can statically compile in a list of IP addresses that are to be treated as webmail connections for auth purposes. However, the traversal of the list do es a loop based on dividing the size of the entire array by the size of the first element in the array. Since IP addresses can be anywhere from 8 characters (A.B.C.D\0) to 16 characters (AAA.BBB.CCC.DDD\0), this makes it likely that any added addresses will cause some sort of segfault, especially if several large (character-wise) addresses are added (since the default, 127.0.0.1 is only 10 characters). This patch fixes it by NULL-terminating the list of strings, and using that fact for bounds-checking in the for loop... This bug has been present since at least 5.4.13, but my guess is that so few people use this feature (I didn't even know about it until I was walking the code earlier today checking on the connection types!) that it's not likely to be hit very often. Still, it's a bug, and so this patch... :) Also uploaded to SourceForge as bug #1630944. Josh -- Joshua Megerman SJGames MIB #5273 - OGRE AI Testing Division You can't win; You can't break even; You can't even quit the game. - Layman's translation of the Laws of Thermodynamics [EMAIL PROTECTED]
Re: [vchkpw] vchkpw webmailips traversal bug
Joshua Megerman wrote: In vchkpw, you can statically compile in a list of IP addresses that are to be treated as webmail connections for auth purposes. However, the traversal of the list do es a loop based on dividing the size of the entire array by the size of the first element in the array. Since IP addresses can be anywhere from 8 characters (A.B.C.D\0) to 16 characters (AAA.BBB.CCC.DDD\0), this makes it likely that any added addresses will cause some sort of segfault, especially if several large (character-wise) addresses are added (since the default, 127.0.0.1 is only 10 characters). This patch fixes it by NULL-terminating the list of strings, and using that fact for bounds-checking in the for loop... This bug has been present since at least 5.4.13, but my guess is that so few people use this feature (I didn't even know about it until I was walking the code earlier today checking on the connection types!) that it's not likely to be hit very often. Still, it's a bug, and so this patch... :) Also uploaded to SourceForge as bug #1630944. Thanks. I believe that's my patch or patch request at any rate. I'm not sure if I or Tom C. wrote the code for that. Thanks for the patch. Regards, Rick
Re: [vchkpw] vchkpw webmailips traversal bug
On Monday 08 January 2007 18:19, Rick Macdougall wrote: Joshua Megerman wrote: In vchkpw, you can statically compile in a list of IP addresses that are to be treated as webmail connections for auth purposes. However, the traversal of the list do es a loop based on dividing the size of the entire array by the size of the first element in the array. Since IP addresses can be anywhere from 8 characters (A.B.C.D\0) to 16 characters (AAA.BBB.CCC.DDD\0), this makes it likely that any added addresses will cause some sort of segfault, especially if several large (character-wise) addresses are added (since the default, 127.0.0.1 is only 10 characters). This patch fixes it by NULL-terminating the list of strings, and using that fact for bounds-checking in the for loop... This bug has been present since at least 5.4.13, but my guess is that so few people use this feature (I didn't even know about it until I was walking the code earlier today checking on the connection types!) that it's not likely to be hit very often. Still, it's a bug, and so this patch... :) Also uploaded to SourceForge as bug #1630944. Thanks. I believe that's my patch or patch request at any rate. I'm not sure if I or Tom C. wrote the code for that. Thanks for the patch. My turn to say oops - As Tom pointed out in response to my sourceforge posting, I was mistaking the sizeof the pointer for the sizeof the string. I've closed the SF bug as invalid, please discard the patch (not that it doesn't work, but the original code is perfectly valid). josh -- Joshua Megerman SJGames MIB #5273 - OGRE AI Testing Division You can't win; You can't break even; You can't even quit the game. - Layman's translation of the Laws of Thermodynamics [EMAIL PROTECTED]
