uisp-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Uisp-dev] [Bug #1551] Buffer overflow causes crash in uisp on some s19

From: nobody
Subject: [Uisp-dev] [Bug #1551] Buffer overflow causes crash in uisp on some s19 files
Date: Wed, 30 Oct 2002 01:48:19 -0500 
=================== BUG #1551: LATEST MODIFICATIONS ==================
http://savannah.nongnu.org/bugs/?func=detailbug&bug_id=1551&group_id=2117

Changes by: Theodore A. Roth <address@hidden>
Date: 2002-Oct-29 22:48 (US/Pacific)

------------------ Additional Bug Attachment  ----------------------------
File name: uisp-bug-1551.diff             Size:1 KB
proposed fix
http://savannah.nongnu.org/bugs/download.php?group_id=2117&amp;bug_id=1551&amp;bug_file_id=126



=================== BUG #1551: FULL BUG SNAPSHOT ===================


Submitted by: None                      Project: AVR In-System Programmer       
Submitted on: 2002-Oct-29 14:38
Category:  None                         Severity:  9 - Critical                 
Bug Group:  None                        Resolution:  None                       
Assigned to:  troth                     Status:  Open                           

Summary:  Buffer overflow causes crash in uisp on some s19 files

Original Submission:  From: <address@hidden>

When using --upload or --verify with some .s19 files, uisp segfaults.  It turns 
out that the segment name contained in these .s19 files is 40 characters long, 
and uisp uses a 32-character buffer to store them.  This is a security hole - 
somebody could give you an .s19 file, and when you attempt to install it on an 
atmel, your machine could execute arbitrary code!

Attached is a patch to increase the segment name buffer to 260 characters, 
hopefully avoiding this problem.  However, my patch does not fix the security 
hole - the file reading portion of the uisp code would need a complete rewrite 
to get rid of all of the security holes.

Follow-up Comments
*******************

-------------------------------------------------------
Date: 2002-Oct-29 21:33             By: troth
This is particularly nasty since uisp may be run SUID root if the user wishes 
to use direct parallel port access.

Could I get a file which causes this behaviour for testing?


CC List
*******

CC Address                          | Comment
------------------------------------+-----------------------------
address@hidden                      | 



File Attachments
****************

-------------------------------------------------------
Date: 2002-Oct-29 22:48  Name: uisp-bug-1551.diff  Size: 1KB   By: troth
proposed fix
http://savannah.nongnu.org/bugs/download.php?group_id=2117&amp;bug_id=1551&amp;bug_file_id=126

-------------------------------------------------------
Date: 2002-Oct-29 14:38  Name: uisp-buffer-overflow.patch  Size: 0KB   By: None

http://savannah.nongnu.org/bugs/download.php?group_id=2117&amp;bug_id=1551&amp;bug_file_id=125


For detailed info, follow this link:
http://savannah.nongnu.org/bugs/?func=detailbug&bug_id=1551&group_id=2117
reply via email to
[Prev in Thread] Current Thread [Next in Thread]