Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Responses to: Unix Security Kernel Changes

From: mouse () RODENTS MONTREAL QC CA (der Mouse)
Date: Fri, 29 Jan 1999 08:32:08 -0500


OK NOW:  Let me introduce a new question to you.  How come we cannot
write our std c libraries to do something similar to this before
performing strcat's, etc...



a[sizeof(b)] = NULL (or 0);


There are several reasons.

One, it wouldn't help all that much, because the offending strcat()s
and sprintf()s and similar functions are often in application code,
where they are beyond reach of the C library.  For calls within the
library itself, this usually can't be done because the input string is
read-only ("const char *", typically); such input arguments may even be
in read-only VM, if they're string literals and the compiler in
question puts them in the text segment (at least one common compiler -
gcc - likes to do this).

Two, if this can be done, it's just as easy (and less destructive) to
recode the copy properly anyway.  Sometimes something like the above
*is* a proper fix; sometimes the proper fix is to use strncpy or
snprintf or something similar.  (Yes, I know, many systems don't have
snprintf...but if you can meddle with libc source you might as well add
snprintf while you're about it.)

Three, NULL is for pointer types; you want 0 or '\0'.  You might
#define NUL, which is the correct name for the character with value
zero - but NULL is semantically wrong; even if it happens to work on
your system, it is liable to break when the next system over defines
NULL as ((void*)0), which is allowed.

Four, this usually hits the wrong byte.  Most of these "unsafe"
routines copy the NUL as well, so the length has to be sizeof(b)
*including* the NUL.

Five, this risks a segfault itself.  If a is short and near the top of
VM, a[sizeof(b)] could very well be off the end of valid memory.

Six, this risks corrupting a random piece of data structure.  If a is a
small string in a small buffer, followed by some other data structure,
the assignment will drop a 0 byte into the middle of that other data
structure, which is unlikely to have any good effects.

                                        der Mouse

                               mouse () rodents montreal qc ca
                     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
Previous By Date Next
Previous By Thread Next

Current thread: