[ILUG-BOM] Re: [Fwd: [DDI-1013] Buffer Overflow in Samba allows remote root compromise]

8 Apr 2003


      On 08 Apr 2003 10:40:30 +0530
Trevor Warren wrote:
...
o Problem description:
   An anonymous user can gain remote root access due to a buffer overflow caused
   by a StrnCpy() into a char array (fname) using a non-constant length
   (namelen).
StrnCpy(fname,pname,namelen);    /* Line 252 of smbd/trans2.c */
In the call_trans2open function in trans2.c, the Samba StrnCpy function
   copies pname into fname using namelen. The variable namelen is assigned the
   value of strlen(pname)+1, which causes the overflow.
^^^^^^^^^^^^^
Just to highlight a bad practice that gives false sense of security :)
-- 
Tahir Hashmi
http://staff.ncst.ernet.in/tahir
Compact XML Alternative - http://xqueeze.sf.net

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

[ILUG-BOM] Re: [Fwd: [DDI-1013] Buffer Overflow in Samba allows remote root compromise]