[31144] in bugtraq
Re: Buffer overflow prevention
daemon@ATHENA.MIT.EDU (weigelt@metux.de)
Wed Aug 13 19:27:27 2003
Date: Wed, 13 Aug 2003 21:23:09 +0200
From: weigelt@metux.de
To: bugtraq <bugtraq@securityfocus.com>
Message-ID: <20030813192309.GB25161@metux.de>
Mail-Followup-To: bugtraq <bugtraq@securityfocus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030813121327.A32569@ring.CS.Berkeley.EDU>
On Wed, Aug 13, 2003 at 12:13:27PM -0700, Nicholas Weaver wrote:
<snip>
> This only stops attacks which overwrite the return address pointers on
> the stack, it doesn't stop heap overflows or other control-flow
> attacks.
ACK. Often there are function pointers stored on the heap - so this
does not really help much.
It would be better to invest more time in fail-checking code, i.e.
in C: macros for memory operations which do range checks:
>>>>
static inline _sec_strcpy(char* dest, const char* src, int max)
{
int i;
if ((!dest)||(max<1)) return -1;
if ((max==0)||(!src)) return -1;
{
dest[0] = 0;
return 0;
}
i = strncpy(dest,src,max);
dest[max] = 0;
return i;
}
#define STRCPY_BUF(buffer,src) _sec_strcpy(&buffer, src, sizeof(buffer));
<<<<
Some languages offer runtime range checking, which should bring much security,
but often is really slow :(
<snip>
> [1] If microsoft doesn't have this flag turn on on their own products,
> this would be a lawsuit waiting to happen.
why (in detail) should they be attackable ? did they give any warranty ?
cu
--
---------------------------------------------------------------------
Enrico Weigelt == metux ITS
Webhosting ab 5 EUR/Monat. UUCP, rawIP und vieles mehr.
phone: +49 36207 519931 www: http://www.metux.de/
fax: +49 36207 519932 email: contact@metux.de
cellphone: +49 174 7066481
---------------------------------------------------------------------
Diese Mail wurde mit UUCP versandt. http://www.metux.de/uucp/
