Bugtraq mailing list archives

Fixing up Qpopper

From: chris () FERRET LMH OX AC UK (Chris Evans)
Date: Mon, 29 Jun 1998 11:00:55 +0100


Hi,

Everyone is scrambling around trying to analyse which sprintf()'s are
going to cause overflows in qpopper.

This is not the proper approach to security. It causes additional
overruns to be missed, as is witnessed by lots of "here's another one"
posts seen on the topic so far. There will always be some weird code path
that concatenates strings longer than you expected, etc.

Successful protection of security related software commonly uses one of
these techniques:

1) Bounds check _all_ copies. For example, samba just did a mass switch
   from strcpy to strncpy. Of course, after a strncpy you must remember
   to ensure the destination is properly null terminated.

2) When copying data, work out the required new length then make a new
   buffer of required size on the fly. Lots of programs with very good
   security records have used this approach.


Cheers
Chris

Current thread:

More problems with QPOPPER - <sigh> John Fraizer (Jun 28)
- Re: More problems with QPOPPER - <sigh> Phillip R. Jaenke (Jun 28)
- Re: More problems with QPOPPER - <sigh> Julian Assange (Jun 29)
  - Re: More problems with QPOPPER - <sigh> Dustin Sallings (Jun 29)
- Fixing up Qpopper Chris Evans (Jun 29)
- Re: More problems with QPOPPER - <sigh> Bruno Lopes F. Cabral (Jun 29)
- Re: More problems with QPOPPER - <sigh> Klaus (Jun 29)
- <Possible follow-ups>
- Re: More problems with QPOPPER - <sigh> Aaron D. Gifford (Jun 29)
- Re: More problems with QPOPPER - <sigh> Aaron D. Gifford (Jun 29)
- Re: More problems with QPOPPER - <sigh> Niall Smart (Jun 29)