[continued from previous message]

1018 strcpy(portStr, ".*");
1019 strcpy(devcStr, ".*");
1020 cp = (char*)pStr;
1021 for (;;)
1022 {
..
1031 if (strcmp(tmpBuf, "port") == 0)
1032 cp = getStr(portStr, cp);
1033 else if (strcmp(tmpBuf, "device") == 0)
1034 cp = getStr(devcStr, cp);

getStr() copies the input string to the target buffer without bounds
checking. When pStr is sufficiently large, getStr() can cause here a
stack overflow past portStr[80] and devcStr[80].

For a fix, I'd make the caller specify how much may be written by
getStr(), see attached patch-getstr-bof.diff. Again it's not very well
tested, sorry for lacking the time currently to do this properly.

If you have any questions, or I have missed something, please let me
know.

Greets,
Max

--
308E81E7B97963BCA0E6ED889D5BD511B7CDA2DC

--- tnlSubOptions.c.orig 2004-06-29 11:30:54.000000000 +0200
+++ tnlSubOptions.c 2004-06-29 11:31:04.000000000 +0200
@@ -76,7 +76,7 @@
*/
static void getOption(int ch)
{
- if (strlen(optionBuffer) < sizeof(optionBuffer) - 1)
+ if (pOption - optionBuffer < sizeof(optionBuffer) - 1)
{
*(pOption++) = ch;
*pOption = '\0';

--- tnlSubOptions.c.orig 2004-06-29 11:06:56.000000000 +0200
+++ tnlSubOptions.c 2004-06-29 11:07:40.000000000 +0200
@@ -121,7 +121,7 @@
if (dbg) syslog(LOG_DEBUG, "doSubOption():Option |%s|", optionBuffer);
if (dbg) syslog(LOG_DEBUG, "doSubOption():Copying new option |%s| to %lx",
optionBuffer, (unsigned long)pSubOptions[option]);
- strcpy(pSubOptions[option], optionBuffer);
+ strncpy(pSubOptions[option], optionBuffer, 127);
if (dbg) syslog(LOG_DEBUG, "doSubOption():Calling Call Back");
doCallBack(TNL_ISSUBOPTDATA_CB, option, (void *)pSubOptions[option], NULL);
if (dbg) syslog(LOG_DEBUG, "doS