FreeBSD 7.0's new malloc subsystem plus certain combinations of SNPP sender, recipient, and callerid trigger a buffer overflow in srvrsnpp.c at line 704, where p->messageid, which was created with strdup(), has the contents of buff appended to it without being reallocated. As a result, the first byte of one (variable) element of 'p' (struct page) is overwritten with a (char)0 appended by strcat(), causing a blank sender, blank recipient (and silent failure), or blank message. It seems that other elements may be overwritten in this manner as well, resulting in an error message to the SNPP client. Fix: attached patch Patch attached with submission follows: How-To-Repeat: FreeBSD 7.0 is required to trigger the problem. It appears that one of these overwrites will occur when any page is sent with a sender/callerid of four or more bytes. Any working qpage.cf with users defined can be used. After starting the qpage daemon, submit a page with qpage -s <qpageserver> -f longsender -p recipient "message" It is not necessary to have a modem connected, only to have an existing and unused serial device as the designated modem in qpage.cf. The qpage client may display an error message and exit, which is one of the possible results of this bug. If qpage succeeds, examine the file created in /var/spool/qpage, and one of the Pager, From, or Message fields in the spool file will be blank.
Responsible Changed From-To: freebsd-ports-bugs->stefan Take.
stefan 2008-10-19 08:09:02 UTC FreeBSD ports repository Modified files: comms/qpage Makefile Added files: comms/qpage/files patch-srvrsnpp.c Log: Fix a potential buffer overflow. PR: 128216 Submitted by: maintainer Revision Changes Path 1.27 +1 -1 ports/comms/qpage/Makefile 1.1 +28 -0 ports/comms/qpage/files/patch-srvrsnpp.c (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed, thanks!