Date: Tue, 21 Jul 1998 16:14:58 +1000 (EST) From: Peter Jeremy <peter.jeremy@alcatel.com.au> To: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? Message-ID: <199807210614.QAA19838@gsms01.alcatel.com.au>
next in thread | raw e-mail | index | archive | help
On Mon, 20 Jul 1998 14:57:53 -0600 (MDT), Paul Hart <hart@iserver.com> wrote: >I will not argue with the statement that C gives you the potential to hurt >yourself. It does. BUT, so do power tools, knives, and blunt objects. And just moving to Modula-3, Ada, APL, Lisp, Scheme, Smalltalk or your personal language-du-jour doesn't automatically fix the problem. The first Ariane-5 rocket had to be destroyed shortly after launch - due to a bug in its Ada software. Secure, robust code is hard to write in any language. C just makes it a lot easier to write bad code. >Instead of using strcpy(), use strncpy(). The semantics of strncpy() (and strncat()) are not what I would consider obvious. A naive replacement of strcpy() with strncpy() will not solve all buffer overflow problems - whilst you can't overrun the buffer you strncpy()'d into, it may no longer be NUL-terminated, which could be exploited later. Less importantly, strncpy() is also very inefficient in the (common) case where large buffers are allocated to contain (normally) short strings. IMHO, in general you would be better off defining two functions: char *strxcpy(char *DST, const char *SRC, size_t LEN) copy at most LEN-1 characters from SRC to DST. Always NUL-terminate the result. char *strxcat(char *DST, const char *SRC, size_t LEN) concatenate SRC onto the end of DST, to a maximum total length of LEN-1 characters. Always NUL-terminate the result. > As a simple example, your entire qpopper problem would have been >non-existent if the programmer would have used vsnprintf() instead of >vsprintf(). There is a portability problem here. For maximum portability, you need to limit yourself to the Standard C Library - which doesn't include either [v]snprintf() or any of the building blocks to easily implement it. A simple (integer-only and non-reentrant) [v]snprintf() is about 320 lines (eg the one in X11R6.3). Peter -- Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 9690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 9690 5247 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807210614.QAA19838>