Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

tetrix.1.13.16.bof.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 21 Views

Buffer overflow vulnerability in Tetrix 1.13.16 daemon; patch shared for hostname limit fix.

Code
`Date: Wed, 17 Feb 1999 13:03:45 -0800  
From: Steven Hodges <[email protected]>  
To: [email protected]  
Subject: Tetrix 1.13.16 is Vulnerable  
  
I have recently found a buffer overflow in a TetriNet daemon for Linux  
called "Tetrix". To exploit this bug, you will need a hostname longer than  
122 characters, and any method of connecting to the host on port 31457.  
Once you are connected, the overflow should take place.  
  
here is the patch!  
  
  
----------------------------------snip snip-------------------------------  
diff -ru tetrinetx-1.13.16.orig/src/main.c tetrinetx-1.13.16/src/main.c  
--- tetrinetx-1.13.16.orig/src/main.c Thu Dec 24 00:24:50 1998  
+++ tetrinetx-1.13.16/src/main.c Sun Feb 14 16:22:45 1999  
@@ -2561,7 +2562,7 @@  
/* Someone has just connected. So lets answer them */  
void net_telnet(struct net_t *n, char *buf)  
{  
- unsigned long ip; int k,l; char s[121]; char strg[121];  
+ unsigned long ip; int k,l; char s[UHOSTLEN]; char strg[121];  
char n1[4], n2[4], n3[4], n4[4];  
struct channel_t *chan, *ochan;  
struct net_t *net;  
diff -ru tetrinetx-1.13.16.orig/src/main.h tetrinetx-1.13.16/src/main.h  
--- tetrinetx-1.13.16.orig/src/main.h Thu Dec 24 00:24:50 1998  
+++ tetrinetx-1.13.16/src/main.h Sun Feb 14 16:19:06 1999  
@@ -48,9 +48,8 @@  
#define SERVERBUILD "16" /* What build we are at */  
#define NICKLEN 30 /* Maximum length of Nickname */  
#define VERLEN 10 /* Maximum length of Tetrinet version */  
-#define UHOSTLEN 30 /* Maximum length of Hostname */  
+#define UHOSTLEN 256 /* Maximum length of Hostname */  
#define TEAMLEN NICKLEN /* Maximum length of teamname */  
-/*#define MAXNET 80*/ /* Maximum network sockets */  
#define MAXWINLIST 100 /* Maximum entries on Winlist */  
#define TELNET_PORT 31457 /* Telnet port to listen on */  
#define QUERY_PORT 31456 /* Query port to listen on */  
diff -ru tetrinetx-1.13.16.orig/src/net.c tetrinetx-1.13.16/src/net.c  
--- tetrinetx-1.13.16.orig/src/net.c Thu Dec 24 00:24:50 1998  
+++ tetrinetx-1.13.16/src/net.c Sun Feb 14 16:22:11 1999  
@@ -250,15 +250,17 @@  
unsigned long ip;  
{  
struct hostent *hp; unsigned long addr=ip;  
- unsigned char *p; static char s[121];  
-/* alarm(10);*/  
+ unsigned char *p; static char s[UHOSTLEN];  
+  
hp=gethostbyaddr((char *)&addr,sizeof(addr),AF_INET); /*alarm(0);*/  
if (hp==NULL) {  
p=(unsigned char *)&addr;  
sprintf(s,"%u.%u.%u.%u",p[0],p[1],p[2],p[3]);  
return s;  
}  
- strcpy(s,hp->h_name); return s;  
+ strncpy(s,hp->h_name,(UHOSTLEN-1));  
+ s[strlen(s)]='\0';  
+ return s;  
}  
  
/* short routine to answer a connect received on a socket made previously  
----------------------------------snip snip-------------------------------  
  
---------------------------------------------------------------------------  
  
Date: Fri, 19 Feb 1999 11:04:42 +0100  
From: Pavel Machek <[email protected]>  
To: [email protected]  
Subject: Re: Tetrix 1.13.16 is Vulnerable  
  
Hi!  
  
> I have recently found a buffer overflow in a TetriNet daemon for Linux  
> called "Tetrix". To exploit this bug, you will need a hostname longer than  
> 122 characters, and any method of connecting to the host on port 31457.  
> Once you are connected, the overflow should take place.  
>  
> here is the patch!  
  
...which does not work.  
  
> diff -ru tetrinetx-1.13.16.orig/src/net.c tetrinetx-1.13.16/src/net.c  
> --- tetrinetx-1.13.16.orig/src/net.c Thu Dec 24 00:24:50 1998  
> +++ tetrinetx-1.13.16/src/net.c Sun Feb 14 16:22:11 1999  
> @@ -250,15 +250,17 @@  
> unsigned long ip;  
> {  
> struct hostent *hp; unsigned long addr=ip;  
> - unsigned char *p; static char s[121];  
> -/* alarm(10);*/  
> + unsigned char *p; static char s[UHOSTLEN];  
> +  
> hp=gethostbyaddr((char *)&addr,sizeof(addr),AF_INET); /*alarm(0);*/  
> if (hp==NULL) {  
> p=(unsigned char *)&addr;  
> sprintf(s,"%u.%u.%u.%u",p[0],p[1],p[2],p[3]);  
> return s;  
> }  
> - strcpy(s,hp->h_name); return s;  
> + strncpy(s,hp->h_name,(UHOSTLEN-1));  
> + s[strlen(s)]='\0';  
> + return s;  
  
If s is not null-terminated after strncpy...  
  
The strncpy() function is similar, except that not more  
than n bytes of src are copied. Thus, if there is no null  
byte among the first n bytes of src, the result wil not be  
null-terminated.  
  
...then s[strlen(s)]='\0'; will not help it - because strlen() looks  
for \0 :-).  
  
s[UHOSTLEN-1]='\0'; would be correct.  
  
Pavel  
  
--  
I'm really [email protected]. Pavel  
Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
buffer overflow vulnerabilitytetrix 1.13.16hostname limit fixpatch informationtelnet port
21