Re: Possible buffer overflows = security problem?
On Fri, Sep 05, 2003 at 04:47:30PM +0200, Frank Lichtenheld wrote:
> Hi.
Hello :)
> It was un/undermaintained a long time and has no separate upstream.
> While looking in the code to fix some outstanding bugs I found
> several code pieces like
>
> char path[256];
> sprintf( path, "some string/%s", packagename);
>
> There are no further checks as I can see. I'm not very experienced in C
> programming and don't know much about the details of exploiting buffer
> overflows or the like...
of course it's a security problem, because passing packagename longer then 256
bytes can lead into buffer overflow. If you want to read more about BO and see
how they works read "Smashing stack for fun and profit".
To avoid this you should use function like strncpy(), or insert between those
two lines something like if(strlen(packagename)>255) exit(EXIT_FAILURE);
> Is such code (away from the fact that it can easily lead to segfaults) a
> security problem?
>
> Thanks,
> --
> Frank Lichtenheld <frank@lichtenheld.de>
--
Michael "carstein" Melewski | "Nikt nie mówił, że nie
carstein@poznan.linux.org.pl | będzie bolało..."
mobile: 502 545 913 | -- Łukasz Wielebski o postępie
gpg: carstein.c.pl/carstein.txt | prac nad projektem Prokartel.
Reply to: