[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
cfexecd buffer overwrite
|
From: |
rader |
|
Subject: |
cfexecd buffer overwrite |
|
Date: |
Thu, 16 Jun 2005 12:00:15 -0500 |
I recently realized that, after upgrading from 2.1.3 to 2.1.14,
cfexecd on Solaris7 stopped working. The symptoms were syslog msgs
like so:
Jun 16 07:00:45 jasmine cfexecd[2151]: cfengine defines no system
administrator address
Jun 16 07:00:45 jasmine cfexecd[2151]: Need: sysadm = ( address@hidden ) in
control
Running from the command line, gethostbyname() was failing to send
the following, unexpected output:
cfexecd: Couldn't run /var/cfengine/bin/cfagent -q -Dfrom_cfexecd
cfexecd: execv: Bad file number
About five contexts deep into debugging, I found a buffer overwrite,
which in turn was causing gethostbyname() and sscanf() to fail.
The former is used by cfexecd to send mail, and the latter is used
in SplitCommand() to setup an argv for the execv() in cfpopen().
Patch for 2.1.15 is attached.
Mark: if you'd me to explain futher, just holler. But I think it's
reasonable to assume that strncpy'ing 4096 (CF_BUFSIZE) bytes into 18
(VIPADDRESS) bytes is not a good thing!
steve
- - -
systems & network manager
high energy physics
university of wisconsin
*** cfexecd.c.orig Wed May 25 02:52:26 2005
--- cfexecd.c Thu Jun 16 11:40:24 2005
***************
*** 452,458 ****
if (strcmp(name,"ipaddress") == 0)
{
Debug("%s/%s\n",name,content);
! strncpy(VIPADDRESS,content,CF_MAXVARSIZE-1);
continue;
}
--- 452,458 ----
if (strcmp(name,"ipaddress") == 0)
{
Debug("%s/%s\n",name,content);
! strncpy(VIPADDRESS,content,sizeof(VIPADDRESS));
continue;
}
- cfexecd buffer overwrite,
rader <=