Skip to main content.

2001-Jan-18

Read about Solaris and HPUX cu(1) format bug. I tested NetBSD's: 
cu `perl -e 'printf "A" x 99400'`
with a few different values, just got "System not found" or bash "Argument list too long" messages. (I believe I tested this also a few months ago. Now it is good I keep this journal so I can remember!)

grepped through /usr/src looking for format bugs. It is a long, hard process -- especially when the format is defined somewhere else in the code. (I did this once last summer also.)

Did a few command-line scripts to look for problems in /bin, /sbin and /usr/bin. It took a while. Basically I did: 

  find . -name "z*" -ls -exec "{}" `perl -e 'print "a"x99999'` ; >>/home/reed/J 2>&1
(Notice the "z" -- I did start with everything, but sometimes things would just hang up waiting for input or something. Several times, I tested manually like: " ./ypwhich `perl -e 'print "a"x99999'`". In another window I would do "tail -f J | sed -e 's/aaaa//g'" and watch the action.

I found three buffer overflows: telnet, tn3270 and zmore! Really zmore is a script that runs "gzip -cdfq". I reported these in two emails (1 / 2) to current-users, and started some discussion. As part of the discussion, I learned more about how to set up for compiling with debugging turned on (it wasn't by default) and some information on using gdb. It was noted that gdb debugger was confused by the overrun and reported wrong information. Simon Burge worked on a fix for my gzip bug find.

(I closed this bin/12005 PR on 05/Apr/2004. Newer gzip replacement doesn't have problem and can't reproduce anymore on NetBSD 1.6.x system.)

Mr. de Raadt emailed me (off-list): "please try the openbsd one. ... let me know if we missed something." Plus he (braggingly) included some RCS revision logs for his fixes back in 1998. I wonder if he has some filter listening in for certain keywords on NetBSD lists. (Like DJB sometimes pops in to announce some lawsuit on some list once he hears "qmail".) I looked at the OpenBSD cvsweb and also I plugged in a monitor and booted my OpenBSD 2.7 box -- no Seg faults. Debian Linux 2.2 also acted the same as OpenBSD (no tn3270 in Debian).