Synopsis: sendmail(8) incorrect command line argument check leads to local root privilege hijack
NetBSD versions: 1.5, -current
Reported in NetBSD Security Advisory: NetBSD-SA2001-017

Index: trace.c
===================================================================
RCS file: /cvsroot/gnusrc/gnu/dist/sendmail/sendmail/trace.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -c -p -r1.4 -r1.5
*** trace.c	2000/10/10 11:17:48	1.4
--- trace.c	2001/08/21 07:13:26	1.5
*************** void
*** 63,69 ****
  tTflag(s)
  	register char *s;
  {
! 	int first, last;
  	register unsigned int i;
  
  	if (*s == '\0')
--- 63,69 ----
  tTflag(s)
  	register char *s;
  {
! 	unsigned int first, last;
  	register unsigned int i;
  
  	if (*s == '\0')
*************** tTflag(s)
*** 73,88 ****
  	{
  		/* find first flag to set */
  		i = 0;
! 		while (isascii(*s) && isdigit(*s))
  			i = i * 10 + (*s++ - '0');
  		first = i;
  
  		/* find last flag to set */
  		if (*s == '-')
  		{
  			i = 0;
! 			while (isascii(*++s) && isdigit(*s))
  				i = i * 10 + (*s - '0');
  		}
  		last = i;
  
--- 73,100 ----
  	{
  		/* find first flag to set */
  		i = 0;
! 		while (isascii(*s) && isdigit(*s) && i < tTsize)
  			i = i * 10 + (*s++ - '0');
+ 
+ 		/*
+ 		**  skip over rest of a too large number
+ 		**  Maybe we should complain if out-of-bounds values are used.
+ 		*/
+ 
+ 		while (isascii(*s) && isdigit(*s) && i >= tTsize)
+ 			s++;
  		first = i;
  
  		/* find last flag to set */
  		if (*s == '-')
  		{
  			i = 0;
! 			while (isascii(*++s) && isdigit(*s) && i < tTsize)
  				i = i * 10 + (*s - '0');
+ 
+ 			/* skip over rest of a too large number */
+ 			while (isascii(*s) && isdigit(*s) && i >= tTsize)
+ 				s++;
  		}
  		last = i;