[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Uisp-dev] Re: [Bug #1551] Buffer overflow causes crash in uisp on some

From: Theodore A. Roth
Subject: [Uisp-dev] Re: [Bug #1551] Buffer overflow causes crash in uisp on some s19 files
Date: Wed, 30 Oct 2002 11:58:53 -0800 (PST)

Hi Seth,

On Wed, 30 Oct 2002, Seth LaForge wrote:

:) > This is particularly nasty since uisp may be run SUID root if the
:) > user wishes to use direct parallel port access.
:) Dear God no!  The uisp source is nowhere close to secure when SUID
:) root.  Even with this problem fixed, you can easily read or write to
:) any file on the system as root.  If you really want to make it safe to
:) run SUID root, it needs some serious architectural changes.  The code
:) is littered with unsafe string operations.  For example, in the
:) terminal mode you just have to type more than 32 characters to do a
:) buffer overflow attack.

I agree with you completely.

Of course, suid is _strongly_ discouraged and should not even be
documented. ppdev is the correct way to do it, but some people still use
root or suid.

:) I don't think I'd ever trust a suid uisp on a secure system.  What I
:) would trust was a little suid program which could only be used to
:) twiddle bits on the parallel port, and uisp using that program for
:) direct parallel port access.  If you're interested in this approach, I
:) might be convinced to code it up.

I think it drops suid after opening the parallel port. I'll have to check
that again and make sure it does it for all cases.

:) > Could I get a file which causes this behaviour for testing?
:) Execute:
:)   echo 'int main() {}' \
:)      > this_file_has_a_very_long_name_and_may_confuse_uisp.c
:)   avr-gcc this_file_has_a_very_long_name_and_may_confuse_uisp.c \
:)      -Wl,--oformat,srec -o \
:)      this_file_has_a_very_long_name_and_may_confuse_uisp.s19
:) Now, the s19 file contains:
:)   S11300000DC028C027C026C025C024C023C022C0DC
:)   S10D001021C020C01FC01EC01DC087
:)   S113001A11241FBE20E0A89521BD20E025BF40E1A0
:)   S113002AF0E000E1B060206003C0C89531960D92FB
:)   S113003A0031B207D1F700E1B060206001C01D921F
:)   S10F004A0031B207E1F703C000C01895B4
:)   S9030000FC
:) You proposed a patch which included:
:)   --- src/MotIntl.C       13 Jun 2002 10:50:52 -0000      1.3
:)   +++ src/MotIntl.C       30 Oct 2002 07:19:49 -0000
:)   @@ -81,8 +81,9 @@
:)    void TMotIntl::UploadMotorola(){
:)      unsigned char srec_len, buf_len, srec_cc_sum;
:)   -  char seg_name[32];
:)   -  char* p;             /* line buffer pointer */
:)   +  char seg_name[80];    /* format spec says "An S-record will be less 
than or
:)   +                           equal to 78 bytes in length." */
:)   +  char* p;              /* line buffer pointer */
:)      TAddr addr;
:)      TAddr total_bytes_uploaded=0;
:)      TAddr hash_cnt=0;
:) and pointed at <http://www.amelek.gda.pl/avr/uisp/srecord.htm>.  That
:) document says that the entire line will be less than 78 bytes of
:) characters, which means less than 78 / 2 pairs of hex bytes.  However,
:) binutils clearly violates the format described in your page - it
:) creates lines with up to 40 data bytes, meaning 80 characters,
:) resulting in 90 characters with the other fields included.

I figured I'd be proven wrong on that. ;-)

:) Following is a patch which I've tested and believe is correct.  I got
:) rid of the srec_len check - if srec_len is too big, Htoi will run into
:) the CRLF or NUL byte at the end of the string and give up.  I made the
:) buffer 256 bytes long - since srec_len is a single byte, it can't
:) possibly overflow the buffer.

I don't think you need to use more than MI_LINEBUF_SIZE chars in your
buffer since that is all fgets will read when reading a line from the

I still think a bounds check and throw is useful so you might know if
you come across a bogus srec file.

Thanks for the input this.

I'll make up a new patch and let you have a look before I commit it.

Ted Roth

reply via email to

[Prev in Thread] Current Thread [Next in Thread]