after a quick scan through the lircd code i found some information leaks in=
i haven't checked if they are exploitable, but who they sure are info leaks
what is it about?
the manual says:
Upon successful return, these functions return the number of=20
characters printed (not including the trailing =E2=80=99\0=E2=80=99 u=
sed to end output=20
to strings). The functions snprintf and vsnprintf do not write more than=20
size bytes (including the trailing =E2=80=99\0=E2=80=99). If the output wa=
s truncated due to=20
this limit then the return value is the number of characters (not includi=
the trailing =E2=80=99\0=E2=80=99) which would have been written to the fin=
al string if=20
enough space had been available. Thus, a return value of size or more means=
that the output was truncated. (See also below under NOTES.) If an outpu=
error is encountered, a negative value is returned.
what's in lircd code?:
=3D=3D> if the buffer is too small, and all-> name > PACKET_SIZE, then it w=
write more to the fd than it normally should, resulting in an information=20
leakage. (like %ebp value , return value , ... (unless compiled with=20
=2Dfomit-frame-pointer, but that's an entirely different story))
that same error is there a couple of times.
since there is no memory write at the return value of (v)snprintf, i don't =
any way to exploit this. but information gathered could be useful for other=
bugs maybe... i think it's worth fixing :)
suggested sollution: if (len >=3D PACKET_SIZE+1) .... (which, i think is th=
i don't know if this is the correct place to post this, but i wouldn't know=
where else to put it!
(hopefully this is a useful mail... if not: ignore it!)
aka Rik Bobbaers
K.U.Leuven - LUDIT -=3D- Tel: +32 485 52 71 50
Rik.Bobbaers@... -=3D- http://harry.ulyssis.org
By sending an email to ANY of my addresses you are agreeing that:
1. I am by definition, "the intended recipient"
2. All information in the email is mine to do with as I see fit and make=
such financial profit, political mileage, or good joke as it lends itself t=
In particular, I may quote it on usenet.
3. I may take the contents as representing the views of your company.
4. This overrides any disclaimer or statement of confidentiality that may=
included on your message.=20