Bug 128216 - comms/qpage buffer overflow
Summary: comms/qpage buffer overflow
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Stefan Walter
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-18 23:30 UTC by jfb
Modified: 2008-10-19 09:10 UTC (History)
0 users

See Also:

Attachments
file.diff (831 bytes, patch)
2008-10-18 23:30 UTC, jfb 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description jfb 2008-10-18 23:30:02 UTC 
FreeBSD 7.0's new malloc subsystem plus certain combinations of SNPP sender, recipient, and callerid trigger a buffer overflow in srvrsnpp.c at line 704, where p->messageid, which was created with strdup(), has the contents of buff appended to it without being reallocated. As a result, the first byte of one (variable) element of 'p' (struct page) is overwritten with a (char)0 appended by strcat(), causing a blank sender, blank recipient (and silent failure), or blank message. It seems that other elements may be overwritten in this manner as well, resulting in an error message to the SNPP client.

Fix: attached patch

Patch attached with submission follows:
How-To-Repeat: FreeBSD 7.0 is required to trigger the problem.

It appears that one of these overwrites will occur when any page is sent with a sender/callerid of four or more bytes. Any working qpage.cf with users defined can be used. After starting the qpage daemon, submit a page with

qpage -s <qpageserver> -f longsender -p recipient "message"

It is not necessary to have a modem connected, only to have an existing and unused serial device as the designated modem in qpage.cf. The qpage client may display an error message and exit, which is one of the possible results of this bug. If qpage succeeds, examine the file created in /var/spool/qpage, and one of the Pager, From, or Message fields in the spool file will be blank.
Comment 1 Stefan Walter freebsd_committer freebsd_triage 2008-10-19 09:06:46 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->stefan

Take.
Comment 2 dfilter service freebsd_committer freebsd_triage 2008-10-19 09:09:14 UTC 
stefan      2008-10-19 08:09:02 UTC

  FreeBSD ports repository

  Modified files:
    comms/qpage          Makefile 
  Added files:
    comms/qpage/files    patch-srvrsnpp.c 
  Log:
  Fix a potential buffer overflow.
  
  PR:             128216
  Submitted by:   maintainer
  
  Revision  Changes    Path
  1.27      +1 -1      ports/comms/qpage/Makefile
  1.1       +28 -0     ports/comms/qpage/files/patch-srvrsnpp.c (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 3 Stefan Walter freebsd_committer freebsd_triage 2008-10-19 09:09:24 UTC 
State Changed
From-To: open->closed

Committed, thanks!