Bug#764442: apt: String overrun in RSHConn::WriteMsg() (transports rsh: and ssh:)
On Wed, Oct 08, 2014 at 02:49:40AM -0400, David Garfield wrote:
> Package: apt
> Version: 1.0.9.2
> Severity: normal
Thanks for your bugreport.
> In examining the sources in method/rsh.cc I ran across the function
> RSHConn::WriteMsg(....)
>
> The first thing it does is make a buffer of 512 bytes, put up to 508
> bytes of data in it (the vsnprintf call), and then add at least 14
> more bytes of data (the strcat calls).
Good catch, thanks you!
[..]
> The simplest fix is probably to change the "- 4" on the vsnprintf()
> to "- 24" or thereabouts. A more complex fix (probably not needed)
> might send the two strings separately. It also might be wise to
> consider if the buffer should be enlarged.
>
> I have not fully examined other sources for similar code, but do see
> where this came from in method/ftp.cc.
[..]
I fixed this in git and replaced the strcat with a C++ std::string so
that we do not run into the fixed buffer issue. I also enlarged the
buffer while doing so.
Cheers,
Michael
Reply to: