Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: buffer overflow in libsecure (NSA Security-enhanced Linux)
From: Matt Power <mhpower () BOS BINDVIEW COM>
Date: Tue, 2 Jan 2001 20:06:27 -0500

In http://www.securityfocus.com/archive/1/153355, Perry Harrington
<perry () webcom com> wrote:

From your message, it would appear that the file parser is at fault, not
truncating the newline in the value.  If the newline is removed, like most
config file parsers, then the allocation logic is correct.

Actually, in the code from slinux-200012181053-release.tgz, the
allocation logic is still incorrect even if the newline character is
removed from the end of each line that's read from the
/etc/security/default_type file. If the newline is removed, the number
of characters to copy is reduced by one, but the buffer size is also
reduced by one. For example, if the buf field were "sysadm_r:sysadm_t"
rather than "sysadm_r:sysadm_t\n", then strlen(buf)-i-len-1 is
17 - 0 - 8 - 1, which is 8; and the strcpy would attempt to copy the 9
characters "sysadm_t\0" into the 8-character buffer.

In any case, the NSA has announced a new release that fixes this
buffer-overflow problem. There's a copy of the NSA's announcement at

  http://marc.theaimsgroup.com/?l=selinux&m=97847509307650&w=2

Matt Power
BindView Corporation, RAZOR Team
mhpower () bos bindview com


  By Date           By Thread  

Current thread:
  • Re: buffer overflow in libsecure (NSA Security-enhanced Linux) Matt Power (Jan 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]