misc/121359: local stack overflow in ppp

[sipher]

>Number:         121359
>Category:       misc
>Synopsis:       local stack overflow in ppp
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 04 16:40:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     sipher
>Release:        FreeBSD 7.0
>Organization:
none
>Environment:
all affected.
>Description:
http://www.securityfocus.com/archive/82/488980/30/0/threaded

Stack based overflow which is confirmed to be exploitable on FreeBSD 7.0.
>How-To-Repeat:
1. Run ppp

2. type the following (or atleat some variation of)

~/~/~/~/~/~/~/~/~/~/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxx

>Fix:
diff --git a/usr.sbin/ppp/systems.c b/usr.sbin/ppp/systems.c
index 77f06a1..0cf01d1 100644
--- a/usr.sbin/ppp/systems.c
+++ b/usr.sbin/ppp/systems.c
@@ -82,6 +82,10 @@ InterpretArg(const char *from, char *to)
from++;

while (*from != '\0') {
+ if (to >= endto) {
+ *endto = '\0';
+ return from;
+ }
switch (*from) {
case '"':
instring = !instring;
@@ -97,6 +101,10 @@ InterpretArg(const char *from, char *to)
*to++ = '\\'; /* Pass the escapes on, maybe skipping \# */
break;
}
+ if (to >= endto) {
+ *endto = '\0';
+ return from;
+ }
*to++ = *from++;
break;
case '$':
@@ -127,6 +135,10 @@ InterpretArg(const char *from, char *to)
*ptr++ = *from;
*ptr = '\0';
}
+ if (to >= endto) {
+ *endto = '\0';
+ return from;
+ }
if (*to == '\0')
*to++ = '$';
else if ((env = getenv(to)) != NULL) {
@@ -142,6 +154,10 @@ InterpretArg(const char *from, char *to)
if (len == 0)
pwd = getpwuid(ID0realuid());
else {
+ if (to + len >= endto) {
+ *to = '\0';
+ return from;
+ }
strncpy(to, from, len);
to[len] = '\0';
pwd = getpwnam(to);



Submitted by Eygene Ryabinkin (rea-sec at codelabs.ru) 

>Release-Note:
>Audit-Trail:
>Unformatted: