Re: TOG and xterm problem

[Valdis.Kletnieks () VT EDU (Valdis.Kletnieks () VT EDU)]

--==_Exmh_-15157014P
Content-Type: text/plain; charset=us-ascii

On Mon, 04 May 1998 11:06:05 +0200, you said:
> xc/programs/xterm/charproc.c:
> * HandleKeymapChange():
>
>     (void) sprintf( mapName, "%sKeymap", params[0] );
>     (void) strcpy( mapClass, mapName );
>
> (actually, the second command is mostly harmless because the size of
> mapName and mapClass is the same)

Actually, not necessarily.  It's "mostly harmless" if in addition to the
sizes being the same, you can "prove" in the program-correctness sense
that the source will be null-terminated at the appropriate place.

Think.  if they just overflowed mapName via sprintf, then they can ALSO
overflow mapClass.  And it's quite possible that mapClass is the array
that you need to overflow to create the exploit (mapName possibly being
at an inconvenient location in memory...)

This of course as just a "general guideline" - an actual examination of
the source is required.  I'm just pointing out that "they're the same size"
is not always enough....
--
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech


--==_Exmh_-15157014P
Content-Type: application/pgp-signature

-----BEGIN PGP MESSAGE-----
Version: 2.6.2

iQCVAwUBNU3RJ9QBOOoptg9JAQGqEAP/dIjBJQ2ID9S3KMK7pQfmgTqXoyzcfBl9
uOAIWIxax2m0nvvJKQ2gVoHPKvpygbQyb7AqlSBC/+uXP5aGvU1Qo3lnECCj8WmU
iG54syYzalg5vuXIM0tngSLTWB3GoiV8UBOrsMcHvhf1QmJ61JxX6S4ZGxi4yHFn
woZXJrYjlT8=
=dQ2I
-----END PGP MESSAGE-----

--==_Exmh_-15157014P--