From owner-freebsd-security Tue Aug 27 20:08:17 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA19829 for security-outgoing; Tue, 27 Aug 1996 20:08:17 -0700 (PDT) Received: from psychotic.communica.com.au (gw.communica.com.au [203.8.94.161]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id UAA19805 for ; Tue, 27 Aug 1996 20:08:11 -0700 (PDT) Received: from communica.com.au (newton@frenzy [192.82.222.1]) by psychotic.communica.com.au (8.6.12/8.6.9) with SMTP id MAA02726; Wed, 28 Aug 1996 12:34:57 +0930 Received: by communica.com.au (4.1/SMI-4.1) id AA14763; Wed, 28 Aug 96 12:34:47 CST From: newton@communica.com.au (Mark Newton) Message-Id: <9608280304.AA14763@communica.com.au> Subject: Re: Vulnerability in the Xt library (fwd) To: zach@blizzard.gaffaneys.com (Zach Heilig) Date: Wed, 28 Aug 1996 12:34:47 +0930 (CST) Cc: gene@starkhome.cs.sunysb.edu, security@freebsd.org In-Reply-To: <87hgpqo50j.fsf@freebsd.gaffaneys.com> from "Zach Heilig" at Aug 26, 96 04:42:52 am X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Zach Heilig wrote: > What we need is a lint-like utility (better > than gcc) that can warn when it finds code like: > > { > int buf[somesize]; > > strcpy(buf, argv[1]); > } > > which is dangerous in all programs, it's just less dangerous than in > setuid ones. Ah, you mean like the strcpy(pathbuf, home) in tgetent() in termcap.c? Really, strcpy isn't all such a program would need to look for. There are many C library routines which perform no bounds checking (sprintf(), gets(), strcpy() to name a few) and, even worse, there are countless home-grown memory to memory copy routines which have been written in ignorance of the possible consequences of poor range checking and the assumption that if a buffer overflows the program will crash and it's the stupid user's own fault. Essentially, your rebadged "lint" would end up attempting to be a program which tests the "correctness" of code, and if you can write one of them then I suspect you'll end up richer than Bill Gates :-) When gcc started printing "This program uses gets(), which is probably unsafe" the first time a program called gets(), users yelled and screamed their complaints for months. Regardless, I believe the best way to deal with errors caused by buffer overflows in standard C-library routines is going to be to insert similar warning messages in those programs and make sure that programmers know that their programs will be ugly if they use 'em. - mark [ running off to find setuid executables linked against termcap... ] --- Mark Newton Email: newton@communica.com.au Systems Engineer Phone: +61-8-373-2523 Communica Systems WWW: http://www.communica.com.au