From owner-freebsd-current  Tue Nov 23 21:32:42 1999
Delivered-To: freebsd-current@freebsd.org
Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10])
	by hub.freebsd.org (Postfix) with ESMTP
	id 970D3153FA; Tue, 23 Nov 1999 21:32:36 -0800 (PST)
	(envelope-from jeremyp@gsmx07.alcatel.com.au)
Received: by border.alcanet.com.au id <40336>; Wed, 24 Nov 1999 16:24:48 +1100
Content-return: prohibited
Date: Wed, 24 Nov 1999 16:31:40 +1100
From: Peter Jeremy <peter.jeremy@alcatel.com.au>
Subject: Re: FreeBSD security auditing project.
In-reply-to: <Pine.BSF.4.10.9911232317170.40485-100000@green.dyndns.org>
To: Brian Fundakowski Feldman <green@FreeBSD.ORG>
Cc: current@FreeBSD.ORG
Reply-To: peter.jeremy@alcatel.com.au
Message-Id: <99Nov24.162448est.40336@border.alcanet.com.au>
MIME-version: 1.0
X-Mailer: Mutt 1.0pre3i
Content-type: text/plain; charset=us-ascii
References: <99Nov24.075703est.40331@border.alcanet.com.au>
 <Pine.BSF.4.10.9911232317170.40485-100000@green.dyndns.org>
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On 1999-Nov-24 15:33:14 +1100, Brian Fundakowski Feldman wrote:
>I'd like to note something.  Strcat isn't necessarily unsafe, and strncat()
>isn't necessarily safe.

I wasn't implying that.  In fact, I believe the semantics of strncat()
put it into the `hard to use correctly' category (or maybe `very likely
to be misused').

>	if (fscanf(file, "%d:foo:%.*s", &smurf, sizeof(something),
>	    something) 	/* This is safe, of course. */
Beep.  You lose.  "%.*s" doesn't exist in *scanf() [I thought it did,
but it's not mentioned in either scanf(3) or the source].  You have
to specify field widths as literals (which makes this sort of code
a real PITA).

>#define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0
>        char action2[32], proto[47], name[18], fragment[17];
>        /* Print command name */
>        snprintf(SNPARGS(name, 0), "ipfw: %d", f ? f->fw_number : -1);
>
>Despite the fact that the buffer name[] was made to be exactly the
>largest size, where sprintf() _would_be_safe_,

Not necessarily true.  Consider a system where sizeof(int)==8 (such C
compilers exist today).  In this case "%d" can take 20 characters, but
the code above code assumes an int can always be printed in 11
characters.

>  Don't get caught doing this.
>If you find a strcat() (for example), see if it's safe.  If it is,
>then why replace it?

Confirming that it is safe (checking all the paths by which the
strcat() can be reached) might take substantial effort (if the buffers
and/or range checks are widely separated from the strcat() call.

In addition, someone might add a new path to the strcat(), or might
change a buffer size, without properly checking all the ramifications.

I tend towards the approach that unless it's immediately obvious that
it's safe, you are better off using strlcat() (or maybe strncat()).

Peter


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message