Re: Are bad developer libraries the problem with M$ software?

From: Andrew Griffiths (andrewg@d2.net.au)
Date: 11/19/02

  • Next message: David Wheeler: "Re: secprog Digest 18 Nov 2002 18:35:57 -0000 Issue 113" 
    Date: Tue, 19 Nov 2002 10:10:35 +1100
From: Andrew Griffiths <andrewg@d2.net.au>
To: Casper Dik <Casper.Dik@Sun.COM>

    Hi all,

    >
    > Same problem; not safe anyway. (sizeof (dst) - strlen(dst) - 1, if anything)
    >

    Another thing to use is consistency, for example,

    char dst[50];
    strncpy(dst, user_supplied_data, sizeof(dst));
    strncat(dst, sizeof(dst) - strlen(dst) -1, moreuserdata);

    This could be exploitable if user_supplied_data is 50 or more bytes long.

    In specific,

    50 - 50 - 1 == -1

    Since strncat's len parameter is size_t (which is unsigned), strncat is
    willing to append _way_ to many bytes. IIRC, some fingerd's had this
    problem (possibly some identd, *shrug*).

    Similar things can be done to snprintf and so on. A wrapper around those
      library calls could be used to check if its unsigned (and wouldn't
    have that much drawback, because I can't think of anything that'd do a
    >2G string operation normally), by using int as opposed to size_t.

    I guess this comes to the class of integer over/under flows now :)

    Sincerely,
    Andrew Griffiths