Archive for February, 2008

splitvt

Monday, February 25th, 2008

I was reading http://lists.grok.org.uk/pipermail/full-disclosure/2008-February/060411.html and figured I’d take a look at some if it’s code. it’s not all that secure. here are some code snippets:
void splitvtrc()
{

char line[BUFSIZ], newline[BUFSIZ*2], *parsed[256];

for ( i=0, head=ptr=newline; ((ptr-newline)<(BUFSIZ*2-2))
&& *tail; ) {

parsed[i++]=head; <– no boundscheck done for parsed

}
}

main(argc, argv)
int argc;
char *argv[];
{

signal(SIGHUP, finish);
signal(SIGINT, finish);
signal(SIGQUIT, finish);
signal(SIGTERM, finish);
signal(SIGSEGV, finish);
#ifdef SIGBUS
signal(SIGBUS, finish);
#endif

}
finish() looks like:
static void finish(sig)
int sig;
{
/* Only call this routine after tty_getmode() has been called */
/* The tty_reset() call flushes the tty’s input buffers. */
if ( tty_reset(0) pw_name, upper_tty);
if ( pw && bottomok && lower_tty[0] )
(void) delutmp(pw->pw_name, lower_tty);
(void) replace_me();

if ( sig )
printf(”Exiting due to signal: %d\n”, sig);
exit(sig);
}

lots of signal unsafe stuff happening there end_vt100() for example does:
void end_vt100()
{
int i;

if ( ! setup_vt100 )
return;

/* Clear any old setup */
lastwin=(-1);
for ( i=0; i<upper.rows; ++i )
(void) free(upper.videomem[i]);
(void) free(upper.videomem);
(void) free(upper.tabstops);
for ( i=0; i<lower.rows; ++i )
(void) free(lower.videomem[i]);
(void) free(lower.videomem);
(void) free(lower.tabstops);
setup_vt100=0;

}

Tags:
Posted in Uncategorized | No Comments »