[1078] in bugtraq
Re: NCSA httpd 1.3
daemon@ATHENA.MIT.EDU (Dan Thorson)
Fri Feb 24 13:50:42 1995
To: Thomas Lopatic <lopatic@dbs.informatik.uni-muenchen.de>
Cc: Kevin at Paranoia <kevintx@paranoia.com>, bugtraq <bugtraq@fc.net>
From: Dan Thorson <Dan_Thorson@notes.seagate.com>
Date: 24 Feb 95 8:31:02 EDT
I've been thinking about many of the latest security holes, specifically those
having to do with overrunning char strings. We know one rule:
Never use sprintf(dest, fmt, ...), strcpy(dest, src), etc, as they do no
checking on the max length of "dest"
However, perhaps another rule:
Avoid using strncat(dest, src, n) or strncpy(dest, src, n), etc, as they
_also_ do no checking on the max length of "dest", although 'n' can be
properly calculated & make them safe.
Perhaps, instead, it's time to write a new series of string manipulators....
ones that do the following:
1) Behave similarly to the existing functions (like sprintf(), strncat(),
strncpy(), but take an additional argument "destlen", which is (of course)
the max length of the destination string.
2) Do the string-function, but if the "dest" string will be overrun, return an
error code AND post to the syslog function.
I could see a couple of advantages.
o) We could "grep" all our mission-critical code for the "offensive" functions,
and replace them.
o) If anything shows up in the syslog(), it'd be due to either malicious
behavior, or bad coding, either of which I know _I'd_ want to know about.
This doesn't see like it'd be too hard. Anybody got the time? I'd think anyone
writing code that'll live where badguys live would want to take the time. ANY
suid program should use them.
My opinion. Nobody else wants it.
Dan Thorson (DT35)
(612) 844-5738
dan_thorson@notes.seagate.com postmaster@seagate.com
thorson@mr.net
postmaster@notes.seagate.com
