Stack based buffer overflow in rd_open_file() and rd_pstcache_mkdir()

[anastasio...@gmail.com]

Hello,

Both of those functions in rdesktop.c have some textbook stack based buffer overflows as they

are assuming that the size of HOME environment variable is less than 256 bytes and using spintf()

to copy data from there to a stack based buffer with hardcoded size of 256. However, you

can set HOME to have much larger values. Below is the first case from rdesktop.c:

/* Create the bitmap cache directory */

RD_BOOL

rd_pstcache_mkdir(void)

{

char *home;

char bmpcache_dir[256];

home = getenv("HOME");

if (home == NULL)

return False;

sprintf(bmpcache_dir, "%s/%s", home, ".rdesktop");

 ...

sprintf(bmpcache_dir, "%s/%s", home, ".rdesktop/cache");

 ...

return True;

}

And here is the second one:

/* open a file in the .rdesktop directory */

int

rd_open_file(char *filename)

{

char *home;

char fn[256];

int fd;

home = getenv("HOME");

if (home == NULL)

return -1;

sprintf(fn, "%s/.rdesktop/%s", home, filename);

  ...

return fd;

}

I would suggest to either use some restrictive version of sprintf() like snprintf() or just

allocate a dynamically allocated buffer with sufficient size.

Regards,

Anastasios