Date: Tue, 23 Nov 1999 23:33:14 -0500 (EST) From: Brian Fundakowski Feldman <green@FreeBSD.org> To: peter.jeremy@alcatel.com.au Cc: Kris Kennaway <kris@hub.freebsd.org>, current@FreeBSD.org Subject: Re: FreeBSD security auditing project. Message-ID: <Pine.BSF.4.10.9911232317170.40485-100000@green.dyndns.org> In-Reply-To: <99Nov24.075703est.40331@border.alcanet.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 24 Nov 1999, Peter Jeremy wrote: > A 'grep | wc' equivalent over the source tree gives: > > gets 110 > strcat 2860 > strcpy 4717 > strncat 167 > strncpy 1514 > sprintf 6839 > vsprintf 133 > ... > A string search for (roughly) "scanf.*%s" also picks up 74 cases of > un-bounded string scans. > > And these are the easy ones... I'd like to note something. Strcat isn't necessarily unsafe, and strncat() isn't necessarily safe. It is not possible to just tell people "look for this and replace it with this." For example, with fscanf(): char buf[80], something[80]; #if 1 if (fscanf(file, "%d:foo:%.*s", &smurf, sizeof(something), something) /* This is safe, of course. */ #else if (fscanf(file, "%d:foo:%s", &smurf, something); /* I'm using %s here, but it's safe. Compare * the buffer sizes. */ #endif For a better example, in the real world (from src/sys/netinet/ip_fw.c): #define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0 char action2[32], proto[47], name[18], fragment[17]; /* Print command name */ snprintf(SNPARGS(name, 0), "ipfw: %d", f ? f->fw_number : -1); Despite the fact that the buffer name[] was made to be exactly the largest size, where sprintf() _would_be_safe_, some people insist on using snprintf() "for stability". Don't get caught doing this. If you find a strcat() (for example), see if it's safe. If it is, then why replace it? > > Peter > > -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9911232317170.40485-100000>