From owner-freebsd-current Tue Nov 23 22:41:44 1999 Delivered-To: freebsd-current@freebsd.org Received: from green.dyndns.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id C875C153B4 for ; Tue, 23 Nov 1999 22:41:32 -0800 (PST) (envelope-from green@FreeBSD.org) Received: from localhost (green@localhost [127.0.0.1]) by green.dyndns.org (8.9.3/8.9.3) with ESMTP id BAA50976; Wed, 24 Nov 1999 01:41:08 -0500 (EST) (envelope-from green@FreeBSD.org) Date: Wed, 24 Nov 1999 01:41:07 -0500 (EST) From: Brian Fundakowski Feldman X-Sender: green@green.dyndns.org To: Peter Jeremy Cc: current@FreeBSD.org Subject: Re: FreeBSD security auditing project. In-Reply-To: <99Nov24.162448est.40336@border.alcanet.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 24 Nov 1999, Peter Jeremy wrote: > On 1999-Nov-24 15:33:14 +1100, Brian Fundakowski Feldman wrote: > >I'd like to note something. Strcat isn't necessarily unsafe, and strncat() > >isn't necessarily safe. > > I wasn't implying that. In fact, I believe the semantics of strncat() > put it into the `hard to use correctly' category (or maybe `very likely > to be misused'). It seemed like you were pointing out that these were inherently mistakes. > > > if (fscanf(file, "%d:foo:%.*s", &smurf, sizeof(something), > > something) /* This is safe, of course. */ > Beep. You lose. "%.*s" doesn't exist in *scanf() [I thought it did, > but it's not mentioned in either scanf(3) or the source]. You have > to specify field widths as literals (which makes this sort of code > a real PITA). Ah, well, I've never actually tried it. I've used non-'*' lengths; the example still holds as long as you use fscanf() correctly and specify the size as a number inside the fmt (which I didn't, of course :) > > >#define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0 > > char action2[32], proto[47], name[18], fragment[17]; > > /* Print command name */ > > snprintf(SNPARGS(name, 0), "ipfw: %d", f ? f->fw_number : -1); > > > >Despite the fact that the buffer name[] was made to be exactly the > >largest size, where sprintf() _would_be_safe_, > > Not necessarily true. Consider a system where sizeof(int)==8 (such C > compilers exist today). In this case "%d" can take 20 characters, but > the code above code assumes an int can always be printed in 11 > characters. Our code doesn't run an a system _anything_ like that. In fact, I can't even think of compilers with 8 * NBBY ints. GCC is one of those that can be coerced into long being a software, 64-bit type. > > > Don't get caught doing this. > >If you find a strcat() (for example), see if it's safe. If it is, > >then why replace it? > > Confirming that it is safe (checking all the paths by which the > strcat() can be reached) might take substantial effort (if the buffers > and/or range checks are widely separated from the strcat() call. > > In addition, someone might add a new path to the strcat(), or might > change a buffer size, without properly checking all the ramifications. > > I tend towards the approach that unless it's immediately obvious that > it's safe, you are better off using strlcat() (or maybe strncat()). You shouldn't be using static buffers in the first place, so str*cat() should never be used. > > Peter > -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message