Re: Stack growth direction to thwart buffer overflow attacks
From: Barry Margolin (barry.margolin_at_level3.com)
Date: Fri, 15 Aug 2003 20:54:45 GMT
In article <email@example.com>,
Nick Maclaren <firstname.lastname@example.org> wrote:
>In article <XY9%a.130$mD.email@example.com>,
>Barry Margolin <firstname.lastname@example.org> wrote:
>>In article <email@example.com>,
>>Rupert Pigott <firstname.lastname@example.org> wrote:
>>>"Barry Margolin" <email@example.com> wrote in message
>>>> In article <firstname.lastname@example.org>,
>>>> Nick Maclaren <email@example.com> wrote:
>>>> >Firstly, in the case of functions like strcpy, it is NOT much easier
>>>> >to provide the correct length than to do your own checking.
>>>> Could you explain this? How could writing your own checking code be
>>>> than just adding one parameter to a function call?
>>>I don't want to jump in and speak for Nick here. From my OWN point
>>>of view adding a parameter is just Yet-Another-Thing-To-Get-Wrong.
>>But the choice is between "doing something and possibly getting it wrong"
>>and "doing nothing which is almost always wrong". Right now we've got lots
>>of the latter.
>No, it isn't. There is also the choice "doing something and making
>the situation worse".
It's already pretty bad, I don't think it could really get much worse;
there are unchecked buffers all over the place, just waiting for crackers
to discover them. I guess we'll just have to agree to disagree on whether
the particular techniques we've been discussing would result in an
-- Barry Margolin, firstname.lastname@example.org Level(3), Woburn, MA *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups. Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.