Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

X-RDate: Tue, 21 Apr 1998 13:01:00 +0600 (YEKST)
X-UIDL: 35317d340000007f
Date: Sat, 18 Apr 1998 15:49:08 +0100
From: Chris Evans <[email protected]>
To: [email protected]
Subject: Re: Nasty security hole in "lprm"

Hi,

Sorry to follow up on my own post about lprm, but...

...yes OpenBSD fixed it long ago.

I'll bet there are other lpr subsystem bugs they fixed too, that we should
all care about :)


RCS file: /usr/OpenBSD/cvs/src/usr.sbin/lpr/common_source/rmjob.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- src/usr.sbin/lpr/common_source/rmjob.c      1996/07/04 05:41:52 1.3
+++ src/usr.sbin/lpr/common_source/rmjob.c      1996/10/25 19:38:21 1.4
@@ -327,12 +327,12 @@

        (void)snprintf(buf, sizeof(buf), "\5%s %s", RP, all ? "-all" : person);
        cp = buf;
-       for (i = 0; i < users; i++) {
+       for (i = 0; i < users && cp-buf+1+strlen(user[i]) < sizeof buf; i++) {
                cp += strlen(cp);
                *cp++ = ' ';
                strcpy(cp, user[i]);
        }
-       for (i = 0; i < requests; i++) {
+       for (i = 0; i < requests && cp-buf+10 < sizeof buf; i++) {
                cp += strlen(cp);
                (void) sprintf(cp, " %d", requ[i]);
        }

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Партнёры:

Хостинг: