[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Uisp-dev] [Bug #1551] Buffer overflow causes crash in uisp on some s19

From: nobody
Subject: [Uisp-dev] [Bug #1551] Buffer overflow causes crash in uisp on some s19 files
Date: Wed, 30 Oct 2002 01:48:19 -0500

=================== BUG #1551: LATEST MODIFICATIONS ==================

Changes by: Theodore A. Roth <address@hidden>
Date: 2002-Oct-29 22:48 (US/Pacific)

------------------ Additional Bug Attachment  ----------------------------
File name: uisp-bug-1551.diff             Size:1 KB
proposed fix

=================== BUG #1551: FULL BUG SNAPSHOT ===================

Submitted by: None                      Project: AVR In-System Programmer       
Submitted on: 2002-Oct-29 14:38
Category:  None                         Severity:  9 - Critical                 
Bug Group:  None                        Resolution:  None                       
Assigned to:  troth                     Status:  Open                           

Summary:  Buffer overflow causes crash in uisp on some s19 files

Original Submission:  From: <address@hidden>

When using --upload or --verify with some .s19 files, uisp segfaults.  It turns 
out that the segment name contained in these .s19 files is 40 characters long, 
and uisp uses a 32-character buffer to store them.  This is a security hole - 
somebody could give you an .s19 file, and when you attempt to install it on an 
atmel, your machine could execute arbitrary code!

Attached is a patch to increase the segment name buffer to 260 characters, 
hopefully avoiding this problem.  However, my patch does not fix the security 
hole - the file reading portion of the uisp code would need a complete rewrite 
to get rid of all of the security holes.

Follow-up Comments

Date: 2002-Oct-29 21:33             By: troth
This is particularly nasty since uisp may be run SUID root if the user wishes 
to use direct parallel port access.

Could I get a file which causes this behaviour for testing?

CC List

CC Address                          | Comment
address@hidden                      | 

File Attachments

Date: 2002-Oct-29 22:48  Name: uisp-bug-1551.diff  Size: 1KB   By: troth
proposed fix

Date: 2002-Oct-29 14:38  Name: uisp-buffer-overflow.patch  Size: 0KB   By: None


For detailed info, follow this link:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]