[ros-bugs] [Bug 1307] New: SECAUDIT: Multiple security vulnerabilities in tcpsvcs

ReactOS.Bugzilla at reactos.org ReactOS.Bugzilla at reactos.org
Mon Jan 30 23:30:15 CET 2006 

http://www.reactos.org/bugzilla/show_bug.cgi?id=1307

           Summary: SECAUDIT: Multiple security vulnerabilities in tcpsvcs
           Product: ReactOS
           Version: TRUNK
          Platform: x86 Hardware
        OS/Version: ReactOS
            Status: NEW
          Severity: major
          Priority: P3
         Component: Networking
        AssignedTo: ros-bugs at reactos.org
        ReportedBy: mbealby at gmail.com
         QAContact: ros-bugs at reactos.org


Security Code Audit
-------------------
Code: base/services/tcpsvcs/
Date: Sun 29 Jan 2006 19:15:40 GMT
Whom: mxb (mbealby AT gmail.com)

---

discard.c:48 - REMOTE: Null termination error
Putting BUF bytes in buf doesn't leave room for a null at the end.  Should put
BUF-1.

echo.c:49 - REMOTE: Null termination error
Putting BUF bytes in buf doesn't leave room for a null at the end.  Should put
BUF-1.

qotd.c:21 - Incorrect definition
Quote is defined as [60][BUFSIZ], but QBUFSIZ is used in the loading loop
(qotd.c:48)

qotd.c:33 - Buffer overflow
If an attacker can set system directory to a path with a length of > MAX_PATH -
23 then Sys can be overflowed when FilePath is appended.

qotd.c:40 - Buffer overflow
If length of sys is > 221 then buf can be overflowed.  See qotd.c:33

qotd.c:48 - Overflow
NumQuotes is incremented in a loop and is not checked if it is > 60 (hardcoded
limit).

skelserver.c:168 - REMOTE: Null termination error
Putting BUF bytes in buf doesn't leave room for a null at the end.  Should put
BUF-1.

tcpsvcs.c:77 - Buffer overflow
If an attacker can set the log directory to a path with a length of > MAX_PATH -
17 then LogFilePath can be overflowed when FilePath is appended.

tcpsvcs.c:84 - Buffer overflow
If length of LogFilePath is > 49 then buf can be overflowed.  See tcpsvcs.c:77

tcpsvcs.c:261 - Buffer overflow
Easily overflowable.  Rework code?

tcpsvcs.c:267 - Buffer overflow
UserMessage can be longer than length of MessageBuffer.

tcpsvcs.c:270 - Possible writing to null
Check if hLogFile != NULL.  File open might have failed.

-- 
Configure bugmail: http://www.reactos.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are the QA contact for the bug, or are watching the QA contact.

More information about the Ros-bugs mailing list