Gauntlet: source code anyone ?

[Darren Reed <darrenr () reed wattle id au>]

There has been much discussion about "must have source code" by people
who populate these lists for security products, however, in line with
comments brought up before, there is apparently little benefit for the
vendor or customer (except that the customer has the ability to introduce
their own bugs ;).

Why do I say that ?  Well, recently I was in a position to have the time
to do a quick review of Gauntlet source code.  Just for laughs, I tried
something stupid like "grep sprintf */*.c".  The scary part is that the
output was rather lengthy.  Upon having a closer look at one file (x-gw.c),
it became quickly apparent that fixed buffer sizes (some of which were
too small) were littered through the code and whilst single buffers
could be overflowed, by some stroke of luck it doesn't appear easy to
exploit.  To make it even worse, this was 4.1, not some early rev.
If you use Gauntlet and have the time, setup a host with a full length
domain name (256 characters) and try accessing each of the Gauntlet
services using it...

Getting back to the larger issue, this indicates a few of things to me:

1. you can't trust firewall vendors to write good, secure, code;

2. vendors don't appear to do a lot of testing, particularly of boundary
   cases (just like all good s/w engineers should);

3. vendors don't appear to have a very good quality control;

4. those who buy commercial firewall products aren't interested in
   doing a code review of their vendor.

Of course these are generalised points given one experience, but one
would have though that of any firewall, Gauntlet would have been the
most correct...

Just before I finish, has anyone ever submitted a patch to TIS/NAI for
Gauntlet to fix security holes ?  Do they reject them or simply sit
on them ?

Darren