DHCPD contains C Includes that sometimes defines vsnprintf() as vsprintf()

Summary: 
DHCPD, when compiled in environments that do not provide the vsnprintf function, uses C include files that define vsnprintf to use the less safe vsprintf function
CVE: 
CVE-2004-0461
CERT: 
VU#654390
Posting date: 
22 Jun 2004
Program Impacted: 
DHCP
Versions affected: 
3.0.1rc12, 3.0.1rc13
Severity: 
Medium
Exploitable: 
Remotely
Description: 

ISC DHCP makes use of the vsnprintf() function for writing various log file strings. For systems that do not support vsnprintf(), a C include file was created that defines the vsnprintf() function to vsprintf() as such:

#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)

vsprintf() is a function that does not check bounds, therefore the size is discarded creating the potential for a buffer overflow when client provided data is supplied. Note that the vsnprintf() statements are defined after the vulnerable code that is discussed in VU#317350. This means that VU#317350 would be triggered prior to these potential buffer overflows, unless a client could specify content to a vsnprintf() statement not associated with logging. It is believed that there aren't any other vsnprintf() statements vulnerable to this type of exploitation.

Workarounds: 

None.

Active exploits: 
None known at this time.
Solution: 

Upgrade to a released version of ISC DHCPD.

Share this