From 4221400c1d14acb855396636a627d051a4fdfbd2 Mon Sep 17 00:00:00 2001 From: deraadt Date: Wed, 5 Feb 1997 04:18:27 +0000 Subject: [PATCH] IPOPT_LSRR/IPOPT_SSRR must exit() due to tcp sequencing; pointed out by provos@wserver.physnet.uni-hamburg.de. also another 1-char buffer overflow. --- libexec/rlogind/rlogind.c | 19 +++++++++++++------ libexec/rshd/rshd.c | 21 +++++++++++++++------ 2 files changed, 28 insertions(+), 12 deletions(-) diff --git a/libexec/rlogind/rlogind.c b/libexec/rlogind/rlogind.c index e6c735449fe..a429e538566 100644 --- a/libexec/rlogind/rlogind.c +++ b/libexec/rlogind/rlogind.c @@ -39,7 +39,7 @@ static char copyright[] = #ifndef lint /* from: static char sccsid[] = "@(#)rlogind.c 8.1 (Berkeley) 6/4/93"; */ -static char *rcsid = "$Id: rlogind.c,v 1.13 1997/01/17 07:12:08 millert Exp $"; +static char *rcsid = "$Id: rlogind.c,v 1.14 1997/02/05 04:18:27 deraadt Exp $"; #endif /* not lint */ /* @@ -259,8 +259,8 @@ doit(f, fromp) #ifdef IP_OPTIONS { u_char optbuf[BUFSIZ/3], *cp; - char lbuf[BUFSIZ], *lp; - int optsize = sizeof(optbuf), ipproto; + char lbuf[sizeof(optbuf)*3+1], *lp; + int optsize = sizeof(optbuf), ipproto, i; struct protoent *ip; if ((ip = getprotobyname("ip")) != NULL) @@ -269,12 +269,19 @@ doit(f, fromp) ipproto = IPPROTO_IP; if (getsockopt(0, ipproto, IP_OPTIONS, (char *)optbuf, &optsize) == 0 && optsize != 0) { - lp = lbuf; - for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3) - sprintf(lp, " %2.2x", *cp); + for (lp = lbuf, i = 0; i < optsize; i++, lp += 3) + sprintf(lp, " %2.2x", optbuf[i]); syslog(LOG_NOTICE, "Connection received using IP options (ignored):%s", lbuf); + for (i = 0; i < optsize; ) { + u_char c = optbuf[i]; + if (c == IPOPT_LSRR || c == IPOPT_SSRR) + exit(1); + if (c == IPOPT_EOL) + break; + i += (c == IPOPT_NOP) ? 1 : optbuf[i+1]; + } if (setsockopt(0, ipproto, IP_OPTIONS, (char *)NULL, optsize) != 0) { syslog(LOG_ERR, diff --git a/libexec/rshd/rshd.c b/libexec/rshd/rshd.c index 5fb2d4e4af2..0e02071c23d 100644 --- a/libexec/rshd/rshd.c +++ b/libexec/rshd/rshd.c @@ -39,7 +39,7 @@ static char copyright[] = #ifndef lint /* from: static char sccsid[] = "@(#)rshd.c 8.2 (Berkeley) 4/6/94"; */ -static char *rcsid = "$Id: rshd.c,v 1.10 1997/01/15 23:41:03 millert Exp $"; +static char *rcsid = "$Id: rshd.c,v 1.11 1997/02/05 04:18:30 deraadt Exp $"; #endif /* not lint */ /* @@ -55,7 +55,9 @@ static char *rcsid = "$Id: rshd.c,v 1.10 1997/01/15 23:41:03 millert Exp $"; #include #include +#include #include +#include #include #include @@ -237,8 +239,8 @@ doit(fromp) #ifdef IP_OPTIONS { u_char optbuf[BUFSIZ/3], *cp; - char lbuf[BUFSIZ], *lp; - int optsize = sizeof(optbuf), ipproto; + char lbuf[sizeof(optbuf)*3+1], *lp; + int optsize = sizeof(optbuf), ipproto, i; struct protoent *ip; if ((ip = getprotobyname("ip")) != NULL) @@ -247,12 +249,19 @@ doit(fromp) ipproto = IPPROTO_IP; if (!getsockopt(0, ipproto, IP_OPTIONS, (char *)optbuf, &optsize) && optsize != 0) { - lp = lbuf; - for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3) - sprintf(lp, " %2.2x", *cp); + for (lp = lbuf, i = 0; i < optsize; i++, lp += 3) + sprintf(lp, " %2.2x", optbuf[i]); syslog(LOG_NOTICE, "Connection received from %s using IP options (ignored):%s", inet_ntoa(fromp->sin_addr), lbuf); + for (i = 0; i < optsize; ) { + u_char c = optbuf[i]; + if (c == IPOPT_LSRR || c == IPOPT_SSRR) + exit(1); + if (c == IPOPT_EOL) + break; + i += (c == IPOPT_NOP) ? 1 : optbuf[i+1]; + } if (setsockopt(0, ipproto, IP_OPTIONS, (char *)NULL, optsize) != 0) { syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m"); -- 2.20.1