[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-core-devel
Subject: Re: vulnerabilty fixed
From: George Staikos <staikos () kde ! org>
Date: 2002-11-01 1:34:20
[Download RAW message or body]
How about this supplementary patch? I haven't really tested it because I
don't use Lisa at all. It looks a bit cleaner and safer to me.
On October 31, 2002 17:59, Alexander Neundorf wrote:
> Hi,
>
> there was a vulnerabilty in kdenetwork/lanbrowsing/lisa/ running in
> restricted mode (reslisa), which enabled a local root exploit, I fixed it
> immediatly as it was reported to me.
>
> Has sun_path on every system the same size ?
> It's 108 bytes on my box, but google told me also something about 64 bytes.
> Any reliable information ?
>
> Patch attached, already commited.
>
> Bye
> Alex
>
> --- netmanager.cpp 2002/02/02 10:30:58 1.14
> +++ netmanager.cpp 2002/10/31 22:45:43
> @@ -131,14 +131,25 @@ int NetManager::prepare()
> m_listenFD=::socket(AF_LOCAL, SOCK_STREAM, 0);
> //m_listenFD=::socket(AF_LOCAL, SOCK_STREAM, IPPROTO_TCP);
> MyString socketName("/tmp/resLisa-");
> - socketName+=getenv("LOGNAME");
> + char *logname=getenv("LOGNAME");
> + if (strlen(logname)>60)
> + {
> + std::cout<<"NetManager::prepare: your logname \""<<logname<<"\"
> is longer than 60 characters, exiting."<<std::endl;
> + return 0;
> + }
> + socketName+=logname;
>
> ::unlink(socketName.data());
>
> sockaddr_un serverAddr;
> // bzero((char*)&serverAddr, sizeof(serverAddr));
> memset((void*)&serverAddr, 0, sizeof(serverAddr));
> serverAddr.sun_family = AF_LOCAL;
> strcpy(serverAddr.sun_path,socketName.data());
--
George Staikos
["lisa.patch" (text/x-diff)]
Index: netmanager.cpp
===================================================================
RCS file: /home/kde/kdenetwork/lanbrowsing/lisa/netmanager.cpp,v
retrieving revision 1.17
diff -u -3 -p -r1.17 netmanager.cpp
--- netmanager.cpp 2002/10/31 22:43:55 1.17
+++ netmanager.cpp 2002/11/01 01:30:44
@@ -157,18 +157,22 @@ int NetManager::prepare()
//m_listenFD=::socket(AF_LOCAL, SOCK_STREAM, IPPROTO_TCP);
MyString socketName("/tmp/resLisa-");
char *logname=getenv("LOGNAME");
- if (strlen(logname)>60)
- {
- std::cout<<"NetManager::prepare: your logname \""<<logname<<"\" is longer \
than 60 characters, exiting."<<std::endl; + if (!logname)
+ {
+ std::cout<<"NetManager::prepare: your logname is not set. \
Exiting."<<std::endl; return 0;
}
socketName+=logname;
+ if (socketName.length() >= UNIX_PATH_MAX)
+ {
+ std::cout<<"NetManager::prepare: your logname \""<<logname<<"\" is too \
long, exiting."<<std::endl; + return 0;
+ }
::unlink(socketName.data());
sockaddr_un serverAddr;
-// bzero((char*)&serverAddr, sizeof(serverAddr));
memset((void*)&serverAddr, 0, sizeof(serverAddr));
serverAddr.sun_family = AF_LOCAL;
- strcpy(serverAddr.sun_path,socketName.data());
+ strncpy(serverAddr.sun_path,socketName.data(),UNIX_PATH_MAX-1);
result=::bind(m_listenFD,(sockaddr*) &serverAddr,sizeof(serverAddr));
if (result!=0)
{
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic