Help save net neutrality! Learn more.
Close

#29 obexftp buffer overflow... thrid contact attempt

closed-fixed
nobody
None
5
2005-06-27
2005-03-23
Anonymous
No

This looks a little sketchy... you can probably trigger
it when someone trys to grab a file from your bluetooth
/ irda device. (this would be nice counter attack to a
bluetooth snarfer).

./obexftp/client.c:943: char name[200]; // bad coder
./obexftp/client.c:944: char mod[200]; // - no biscuits!

./obexftp/client.c:966: if (2 == sscanf (line,
"<folder name=\"%[^\"]\" modified=\"%[^\"]\"", name,
mod)) {
./obexftp/client.c:979: if (3 == sscanf (line,
"<file name=\"%[^\"]\" size=\"%[^\"]\"
modified=\"%[^\"]\"", name, size, mod)) {

Am I correct or It is more or less the same as the
following:

kfinisterre@kfinisterre01:~$ cat crash.c
#include <stdio.h>
#include <sys/types.h>
#include <dirent.h>
#include <sys/stat.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char *argv[])
{

struct dirent *ent;

DIR *dir;
char *line;
char name[200]; // bad coder
char mod[200]; // - no biscuits!
char path[512];
memset(path,0x00,sizeof(path));
strcat(path,"/tmp");

ent = malloc(sizeof(struct dirent));

if ((dir = opendir(path)) == NULL)
{
fprintf(stderr, "opendir %s \n", path );
return;
}

while((ent = readdir(dir)) != NULL)
{
sscanf (ent->d_name, "%s", name);
}
}

kfinisterre@kfinisterre01:~$ cc -o crash crash.c
kfinisterre@kfinisterre01:~$ mkdir /tmp/`perl -e 'print
"A" x 254'`
kfinisterre@kfinisterre01:~$ ltrace ./crash
__libc_start_main(0x80484f4, 1, 0xbffff924, 0x80485d0,
0x8048630 <unfinished ...>
memset(0xbffff510, '\000', 512)
= 0xbffff510
strcat("", "/tmp")
= "/tmp"
malloc(268)
= 0x8049870
opendir("/tmp")
= 0x8049980
readdir(0x8049980)
= 0x80499b0
sscanf(0x80499bb, 0x80486f6, 0xbffff7e0, 0, 0)
= 1
readdir(0x8049980)
= 0x80499c0
sscanf(0x80499cb, 0x80486f6, 0xbffff7e0, 0, 0)
= 1
readdir(0x8049980)
= 0x80499d0
sscanf(0x80499db, 0x80486f6, 0xbffff7e0, 0, 0)
= 1
readdir(0x8049980)
= 0x80499e8
sscanf(0x80499f3, 0x80486f6, 0xbffff7e0, 0, 0)
= 1
readdir(0x8049980)
= 0x8049a00
sscanf(0x8049a0b, 0x80486f6, 0xbffff7e0, 0, 0)
= 1
readdir(0x8049980)
= 0x8049a18
sscanf(0x8049a23, 0x80486f6, 0xbffff7e0, 0, 0)
= 1
readdir(0x8049980)
= 0x8049a30
sscanf(0x8049a3b, 0x80486f6, 0xbffff7e0, 0, 0)
= 1
readdir(0x8049980)
= 0x8049a48
sscanf(0x8049a53, 0x80486f6, 0xbffff7e0, 0, 0)
= 1
readdir(0x8049980)
= 0x8049a68
sscanf(0x8049a73, 0x80486f6, 0xbffff7e0, 0, 0)
= 1
readdir(0x8049980)
= 0x8049a88
sscanf(0x8049a93, 0x80486f6, 0xbffff7e0, 0, 0)
= 1
readdir(0x8049980)
= 0x8049aa8
sscanf(0x8049ab3, 0x80486f6, 0xbffff7e0, 0, 0)
= 1
readdir(0x8049980)
= 0x8049ac8
sscanf(0x8049ad3, 0x80486f6, 0xbffff7e0, 0, 0)
= 1
readdir(0x8049980)
= 0x8049ae8
sscanf(0x8049af3, 0x80486f6, 0xbffff7e0, 0, 0)
= 1
readdir(0x8049980)
= 0x8049b08
sscanf(0x8049b13, 0x80486f6, 0xbffff7e0, 0, 0)
= 1
readdir(0x41414141 <unfinished ...>
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++

Discussion

  • Christian W. Zuckschwerdt

    • status: open --> closed-fixed
     
  • Christian W. Zuckschwerdt

    Logged In: YES
    user_id=136432

    Hi Kevin,

    I got your email and fixed this by having size limits. The
    fixed size fields are still there though. I don't like
    having three mallocs on each xml tag.
    In fact the whole thing should probably be left to some xml lib.

     

Log in to post a comment.