141185 – CAN-2004-1079 ncpfs buffer overflow.

Bug 141185 - CAN-2004-1079 ncpfs buffer overflow.

Summary: CAN-2004-1079 ncpfs buffer overflow.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	ncpfs
Sub Component:
Version:	3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Jiri Ryska
QA Contact:	David Lawrence
Docs Contact:
URL:
Whiteboard:	impact=important,public=20041129,sour...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-11-29 20:07 UTC by Josh Bressers
Modified:	2007-11-30 22:10 UTC (History)
CC List:	0 users
Fixed In Version:	ncpfs-2.2.4-4.FC3.1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-06-20 12:03:52 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Josh Bressers 2004-11-29 20:07:00 UTC

Taken from
http://lists.netsys.com/pipermail/full-disclosure/2004-November/029563.html


There is buffer overflow in ncplogin and ncpmap in nwclient.c.


static void strcpy_cw(wchar_t *w, const char* s) {
~        while ((*w++ = *(const nuint8*)s++) != 0);
}

NWDSCCODE NWDSCreateContextHandleMnt(NWDSContextHandle* ctx, const
NWDSChar * treeName){
...
wchar_t wc_treeName[MAX_DN_CHARS+1];

~  if (!treeName)
~      return ERR_NULL_POINTER;

~  strcpy_cw (wc_treeName,treeName);

Currently i have not managed to successfully exploit this bug on x86.

How to reproduce :

ncplogin -T `perl -e '{print"a"x"330"}'`
ncpmap -T `perl -e '{print"a"x"330"}'` /


This issue also affects FC2.

Comment 1 Josh Bressers 2004-12-06 15:24:26 UTC

Ping on this issue.

Comment 2 Mark J. Cox 2005-06-02 10:12:38 UTC

Needs update pushing for FC3

Note You need to log in before you can comment on or make changes to this bug.