[ros-bugs] [Bug 1307] New: SECAUDIT: Multiple security
vulnerabilities in tcpsvcs
ReactOS.Bugzilla at reactos.org
ReactOS.Bugzilla at reactos.org
Mon Jan 30 23:30:15 CET 2006
http://www.reactos.org/bugzilla/show_bug.cgi?id=1307
Summary: SECAUDIT: Multiple security vulnerabilities in tcpsvcs
Product: ReactOS
Version: TRUNK
Platform: x86 Hardware
OS/Version: ReactOS
Status: NEW
Severity: major
Priority: P3
Component: Networking
AssignedTo: ros-bugs at reactos.org
ReportedBy: mbealby at gmail.com
QAContact: ros-bugs at reactos.org
Security Code Audit
-------------------
Code: base/services/tcpsvcs/
Date: Sun 29 Jan 2006 19:15:40 GMT
Whom: mxb (mbealby AT gmail.com)
---
discard.c:48 - REMOTE: Null termination error
Putting BUF bytes in buf doesn't leave room for a null at the end. Should put
BUF-1.
echo.c:49 - REMOTE: Null termination error
Putting BUF bytes in buf doesn't leave room for a null at the end. Should put
BUF-1.
qotd.c:21 - Incorrect definition
Quote is defined as [60][BUFSIZ], but QBUFSIZ is used in the loading loop
(qotd.c:48)
qotd.c:33 - Buffer overflow
If an attacker can set system directory to a path with a length of > MAX_PATH -
23 then Sys can be overflowed when FilePath is appended.
qotd.c:40 - Buffer overflow
If length of sys is > 221 then buf can be overflowed. See qotd.c:33
qotd.c:48 - Overflow
NumQuotes is incremented in a loop and is not checked if it is > 60 (hardcoded
limit).
skelserver.c:168 - REMOTE: Null termination error
Putting BUF bytes in buf doesn't leave room for a null at the end. Should put
BUF-1.
tcpsvcs.c:77 - Buffer overflow
If an attacker can set the log directory to a path with a length of > MAX_PATH -
17 then LogFilePath can be overflowed when FilePath is appended.
tcpsvcs.c:84 - Buffer overflow
If length of LogFilePath is > 49 then buf can be overflowed. See tcpsvcs.c:77
tcpsvcs.c:261 - Buffer overflow
Easily overflowable. Rework code?
tcpsvcs.c:267 - Buffer overflow
UserMessage can be longer than length of MessageBuffer.
tcpsvcs.c:270 - Possible writing to null
Check if hLogFile != NULL. File open might have failed.
--
Configure bugmail: http://www.reactos.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are the QA contact for the bug, or are watching the QA contact.
More information about the Ros-bugs
mailing list