[9294] in bugtraq
Re: Responses to: Unix Security Kernel Changes
daemon@ATHENA.MIT.EDU (der Mouse)
Fri Jan 29 11:15:05 1999
Date: Fri, 29 Jan 1999 08:32:08 -0500
Reply-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
From: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
To: BUGTRAQ@NETSPACE.ORG
> OK NOW: Let me introduce a new question to you. How come we cannot
> write our std c libraries to do something similar to this before
> performing strcat's, etc...
> a[sizeof(b)] = NULL (or 0);
There are several reasons.
One, it wouldn't help all that much, because the offending strcat()s
and sprintf()s and similar functions are often in application code,
where they are beyond reach of the C library. For calls within the
library itself, this usually can't be done because the input string is
read-only ("const char *", typically); such input arguments may even be
in read-only VM, if they're string literals and the compiler in
question puts them in the text segment (at least one common compiler -
gcc - likes to do this).
Two, if this can be done, it's just as easy (and less destructive) to
recode the copy properly anyway. Sometimes something like the above
*is* a proper fix; sometimes the proper fix is to use strncpy or
snprintf or something similar. (Yes, I know, many systems don't have
snprintf...but if you can meddle with libc source you might as well add
snprintf while you're about it.)
Three, NULL is for pointer types; you want 0 or '\0'. You might
#define NUL, which is the correct name for the character with value
zero - but NULL is semantically wrong; even if it happens to work on
your system, it is liable to break when the next system over defines
NULL as ((void*)0), which is allowed.
Four, this usually hits the wrong byte. Most of these "unsafe"
routines copy the NUL as well, so the length has to be sizeof(b)
*including* the NUL.
Five, this risks a segfault itself. If a is short and near the top of
VM, a[sizeof(b)] could very well be off the end of valid memory.
Six, this risks corrupting a random piece of data structure. If a is a
small string in a small buffer, followed by some other data structure,
the assignment will drop a 0 byte into the middle of that other data
structure, which is unlikely to have any good effects.
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
