[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-ed] GNU Ed heap overflow

From: Core Security Advisories Team (CS)
Subject: [Bug-ed] GNU Ed heap overflow
Date: Mon, 30 Jun 2008 18:15:46 -0300


Alfredo Ortega from Core Security Technologies has found that GNU Ed is vulnerable to a heap overflow.

The technical details of this bug are included below. We would appreciate to receive information about your plans for fixing this bug.

The error is located in the file signal.c:

203    /* return copy of escaped string of at most length PATH_MAX */
204    const char *strip_escapes( const char *s )
205      {
206      static char *file = 0;
207      static int filesz = 0;
209      int i = 0;
211      if( !resize_buffer( &file, &filesz, path_max( 0 ) + 1 ) ) return 0;
212      /* assert: no trailing escape */
213      while( ( file[i++] = ( (*s == '\\' ) ? *++s : *s ) ) )
214        s++;
215      return file;
216      }

The strip_escapes() function is called with the name of a file. The
length of the file is not checked, and the resize_buffer() function will
allocate a buffer with the size provided by the function path_max(),
that never exceeds 8192 bytes. If the file name length is greater than
this value, the function will overwrite the heap-allocated buffer in the
while loop at line 213. The strip_escapes() function is called from
several points in the source code, all vulnerable to this heap overflow,
but an easy way to reproduce the overflow is with the following python

import os;
cmd='/bin/ed %s' % (10000*'A');

Thanks in advance,

Carlos Sarraute
Advisories Team
Core Security Technologies

reply via email to

[Prev in Thread] Current Thread [Next in Thread]