From owner-freebsd-arch Wed Dec 13 0:25:52 2000 From owner-freebsd-arch@FreeBSD.ORG Wed Dec 13 00:25:50 2000 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from smtp05.primenet.com (smtp05.primenet.com [206.165.6.135]) by hub.freebsd.org (Postfix) with ESMTP id 0704A37B400 for ; Wed, 13 Dec 2000 00:25:50 -0800 (PST) Received: (from daemon@localhost) by smtp05.primenet.com (8.9.3/8.9.3) id BAA01381; Wed, 13 Dec 2000 01:22:14 -0700 (MST) Received: from usr08.primenet.com(206.165.6.208) via SMTP by smtp05.primenet.com, id smtpdAAAgSaORc; Wed Dec 13 01:22:09 2000 Received: (from tlambert@localhost) by usr08.primenet.com (8.8.5/8.8.5) id BAA26231; Wed, 13 Dec 2000 01:25:38 -0700 (MST) From: Terry Lambert Message-Id: <200012130825.BAA26231@usr08.primenet.com> Subject: Re: Safe string formatting in the kernel To: kris@citusc.usc.edu Date: Wed, 13 Dec 2000 08:25:37 +0000 (GMT) Cc: des@ofug.org (Dag-Erling Smorgrav), arch@FreeBSD.ORG In-Reply-To: <20001211185610.A1741@citusc.usc.edu> from "kris@citusc.usc.edu" at Dec 11, 2000 06:56:10 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: tlambert@usr08.primenet.com Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > I've implemented a set of functions for performing safe string > > formatting in the kernel, based on an initial idea (and design) by > > Poul-Henning. There's a patch up on freefall: > > I haven't reviewed this implementation, but introducing a secure > string handling API into the kernel has my support as security > officer. The current abuse of sprintf() in the kernel is really, > really scary. FWIW, Linux doesn't have the equivalent of a copyinstr() or other string manipulation. The only place that Linux copies strings in or out is in their path manipulation for file names (unless you count symbol resoloution via module loading). I've been a fan of this approach, ever since I fixed a memory leak in the failure path (submitted via Matt Day in 1997). It is much more robust; I've been troubled by the mount option cruft in BSD, and the more string stuff goes into the kernel, the less happy I become with it. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message