Bug 141185 - CAN-2004-1079 ncpfs buffer overflow.
CAN-2004-1079 ncpfs buffer overflow.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: ncpfs (Show other bugs)
3
All Linux
medium Severity high
: ---
: ---
Assigned To: Jiri Ryska
David Lawrence
impact=important,public=20041129,sour...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-29 15:07 EST by Josh Bressers
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version: ncpfs-2.2.4-4.FC3.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-20 08:03:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2004-11-29 15:07:00 EST
Taken from
http://lists.netsys.com/pipermail/full-disclosure/2004-November/029563.html


There is buffer overflow in ncplogin and ncpmap in nwclient.c.


static void strcpy_cw(wchar_t *w, const char* s) {
~        while ((*w++ = *(const nuint8*)s++) != 0);
}

NWDSCCODE NWDSCreateContextHandleMnt(NWDSContextHandle* ctx, const
NWDSChar * treeName){
...
wchar_t wc_treeName[MAX_DN_CHARS+1];

~  if (!treeName)
~      return ERR_NULL_POINTER;

~  strcpy_cw (wc_treeName,treeName);

Currently i have not managed to successfully exploit this bug on x86.

How to reproduce :

ncplogin -T `perl -e '{print"a"x"330"}'`
ncpmap -T `perl -e '{print"a"x"330"}'` /


This issue also affects FC2.
Comment 1 Josh Bressers 2004-12-06 10:24:26 EST
Ping on this issue.
Comment 2 Mark J. Cox 2005-06-02 06:12:38 EDT
Needs update pushing for FC3

Note You need to log in before you can comment on or make changes to this bug.