On Wednesday 04 October 2006 14:42, Biswatosh wrote:
> That was a nice explanation Kai. But I still need to
> be 100% clear on this fix.
Then I guess you need one of the developers to answer you on that one. :)
> My question is, what was the attack and how was it
> averted by doing this?
> **********************************************
> - if (strcmp(realm, text->realm) != 0) {
> + if (((realm != NULL) && (strcmp(realm,
> text->realm) != 0)) &&
> + (text->realm[0] != 0)) {
> SETERROR(sparams->utils,....
> ***********************************************
> All I know is from
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1721
> How a "text->realm != 0" and a "realm != NULL", could
> avert that attack?
The old check causes a segfault if realm was a null pointer on the strcmp()
check. This was fixed with the realm != NULL check. I figure the
text->realm[0] != 0 check was just added to avoid a wrong return value on the
first use of a context. That's a speculation on my part, though.
Cheers,
Kai
--
Kai Blin, <blin At gmx Dot net>
WorldForge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin/
--
Ninjas and Pirates agree: Cowboys suck!
Attachment:
pgpqf586zu5aO.pgp
Description: PGP signature
