InfoSect's Month of Pointless Bugs (#29)

InfoSect, Canberra's hackerspace, regularly runs public group sessions to perform code review and vulnerability discovery. Over the next 30 days, I'll highlight the source code of 30 unknown vulnerabilities.

Bug #29

In bsdgames/robots:


# define        MAXNAME         16

...

typedef struct {
        u_int32_t       s_uid;
        u_int32_t       s_score;
        u_int32_t       s_auto;
        u_int32_t       s_level;
        char            s_name[MAXNAME];
} SCORE;

...

void
set_name(scp)
        SCORE   *scp;
{
        PASSWD  *pp;
        static char unknown[] = "???";

        if ((pp = getpwuid(scp->s_uid)) == NULL)
                pp->pw_name = unknown;
        strncpy(scp->s_name, pp->pw_name, MAXNAME);
}

This bug allows s_name to possibly not be NUL terminate for long login names. Note like previous bugs, dropping privs is not checked for failure.

Comments

Popular posts from this blog

C++ Memory Corruption (std::vector) - part 2

Pointer Compression in V8

Linux Kernel Stack Smashing