From owner-freebsd-arch  Tue Dec 12 10:25:10 2000
From owner-freebsd-arch@FreeBSD.ORG  Tue Dec 12 10:25:08 2000
Return-Path: <owner-freebsd-arch@FreeBSD.ORG>
Delivered-To: freebsd-arch@freebsd.org
Received: from rover.village.org (rover.village.org [204.144.255.66])
	by hub.freebsd.org (Postfix) with ESMTP
	id 17DE337B400; Tue, 12 Dec 2000 10:25:06 -0800 (PST)
Received: from harmony.village.org (harmony.village.org [10.0.0.6])
	by rover.village.org (8.11.0/8.11.0) with ESMTP id eBCIP4s74927;
	Tue, 12 Dec 2000 11:25:04 -0700 (MST)
	(envelope-from imp@harmony.village.org)
Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id LAA31285; Tue, 12 Dec 2000 11:25:03 -0700 (MST)
Message-Id: <200012121825.LAA31285@harmony.village.org>
To: Dag-Erling Smorgrav <des@ofug.org>
Subject: Re: Safe string formatting in the kernel 
Cc: assar@FreeBSD.ORG, Matt Dillon <dillon@earth.backplane.com>,
	kris@citusc.usc.edu, arch@FreeBSD.ORG
In-reply-to: Your message of "12 Dec 2000 15:42:29 +0100."
		<xzpelzd66qy.fsf@flood.ping.uio.no> 
References: <xzpelzd66qy.fsf@flood.ping.uio.no>  <xzpsnnuq1hy.fsf@flood.ping.uio.no> <20001211185610.A1741@citusc.usc.edu> <200012120259.eBC2xfb99004@earth.backplane.com> <5lhf4ap8cv.fsf@assaris.sics.se> 
Date: Tue, 12 Dec 2000 11:25:03 -0700
From: Warner Losh <imp@village.org>
Sender: imp@harmony.village.org
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

In message <xzpelzd66qy.fsf@flood.ping.uio.no> Dag-Erling Smorgrav writes:
: Because there are other issues than just overflowing the buffer.
: There's the issue of truncation (a lot of code uses snprintf() etc.
: without checking if the resulting string was actually truncated, which
: may be a security risk of its own), and there's the issue of using
: large amounts of stack space for buffers (procfs and linprocfs are
: notorious offenders in both these areas, but they're not the only
: ones)

Both strl* and snprintf have a return value so that if you truncate,
you can detect it and do something different in the buffer overflow
case.  There are many times that you want to have a bounded uppper
bound on the length of the string (path names spring to mind).

There have been zero problems with truncating long strings in the
security lists to date.  I've not yet seen anything that looks close
to an attack with string truncation causing any sorts of problems.

: Vulnerabilities were recently found in the procfs code which were
: successfully solved with snprintf(), but could have been (and
: hopefully will be) solved in a much more elegant and future-proof
: manner using sbufs.

Just be careful that your dynamic string growing things don't violate
the hard limit invariants in the kernel.  If it produces paths longer
than 1023 characters, for example, it is wrong.

Warner


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message