From owner-freebsd-security Tue Jul 21 00:34:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA00331 for freebsd-security-outgoing; Tue, 21 Jul 1998 00:34:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.alcatel.com.au (gatekeeper.alcatel.com.au [203.17.66.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA00325 for ; Tue, 21 Jul 1998 00:34:28 -0700 (PDT) (envelope-from peter.jeremy@alcatel.com.au) Received: from mfg1.cim.alcatel.com.au ("port 3760"@[139.188.23.1]) by gatekeeper.alcatel.com.au (PMDF V5.1-7 #U2695) with ESMTP id <01IZO525QM8W00007X@gatekeeper.alcatel.com.au> for security@FreeBSD.ORG; Tue, 21 Jul 1998 17:22:16 +1000 Received: from gsms01.alcatel.com.au by cim.alcatel.com.au (PMDF V5.1-10 #23324) with ESMTP id <01IZO2S58WCGJIZ28O@cim.alcatel.com.au> for security@FreeBSD.ORG; Tue, 21 Jul 1998 16:14:59 +1000 Received: (from jeremyp@localhost) by gsms01.alcatel.com.au (8.8.8/8.7.3) id QAA19838 for security@FreeBSD.ORG; Tue, 21 Jul 1998 16:14:58 +1000 (EST) Date: Tue, 21 Jul 1998 16:14:58 +1000 (EST) From: Peter Jeremy Subject: Re: The 99,999-bug question: Why can you execute from the stack? To: security@FreeBSD.ORG Message-id: <199807210614.QAA19838@gsms01.alcatel.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 20 Jul 1998 14:57:53 -0600 (MDT), Paul Hart wrote: >I will not argue with the statement that C gives you the potential to hurt >yourself. It does. BUT, so do power tools, knives, and blunt objects. And just moving to Modula-3, Ada, APL, Lisp, Scheme, Smalltalk or your personal language-du-jour doesn't automatically fix the problem. The first Ariane-5 rocket had to be destroyed shortly after launch - due to a bug in its Ada software. Secure, robust code is hard to write in any language. C just makes it a lot easier to write bad code. >Instead of using strcpy(), use strncpy(). The semantics of strncpy() (and strncat()) are not what I would consider obvious. A naive replacement of strcpy() with strncpy() will not solve all buffer overflow problems - whilst you can't overrun the buffer you strncpy()'d into, it may no longer be NUL-terminated, which could be exploited later. Less importantly, strncpy() is also very inefficient in the (common) case where large buffers are allocated to contain (normally) short strings. IMHO, in general you would be better off defining two functions: char *strxcpy(char *DST, const char *SRC, size_t LEN) copy at most LEN-1 characters from SRC to DST. Always NUL-terminate the result. char *strxcat(char *DST, const char *SRC, size_t LEN) concatenate SRC onto the end of DST, to a maximum total length of LEN-1 characters. Always NUL-terminate the result. > As a simple example, your entire qpopper problem would have been >non-existent if the programmer would have used vsnprintf() instead of >vsprintf(). There is a portability problem here. For maximum portability, you need to limit yourself to the Standard C Library - which doesn't include either [v]snprintf() or any of the building blocks to easily implement it. A simple (integer-only and non-reentrant) [v]snprintf() is about 320 lines (eg the one in X11R6.3). Peter -- Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 9690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 9690 5247 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message