Vulnerability Development mailing list archives
Secure coding in C (was Re: Administrivia #4883)
From: bet () RAHUL NET (Bennett Todd)
Date: Fri, 14 Jan 2000 16:08:41 -0500
2000-01-14-13:20:27 nascheme:
ICQ is a disaster waiting to happen. There is strcat and strcpy all over the place last time I looked at it. I didn't have time to develop and exploit though.
NB: I don't mean here to imply that ICQ is secure:-). I don't think strcat and strcpy necessarily imply exploits, of themselves; by one of these creepy coincidences I'm doing some security-critical programming right now[*], and for the modest amount of string processing needed I started off using them, suitably protected by preceeding checks with strlen(). I ended up changing to using snprintf into a buffer sized by computing the needed length using strlen, but that was just because it ended up being much simpler as the string manipulations got more complex. For a specific case, is there any security hole directly implied by this C fragment, assuming attackers could control the contents of a and b? char *a = something(); char *b = something_else(); int len = strlen(a) + strlen(b); char *c = malloc(len + 1) || die("malloc"); (void) strcat(strcpy(c, a), b); BTW, what I ended up coding instead of that last line (as it grew way more complex) was equivalent to: snprintf(c, len, "%s%s", a, b) > 0 || die "snprintf"; -Bennett [*] I'm re-starting a project I tried previously, which died the last time for lack of round tuits, a new email local delivery agent, to compete with procmail, maildrop, mailagent, etc. If it gets anywhere near fruition I'll send an announcement here of where to find the code, as soon as it stabilizes enough to deserve a security audit. <HR NOSHADE> <UL> <LI>application/pgp-signature attachment: stored </UL>
Current thread:
- Administrivia #4883 Blue Boar (Jan 13)
- Re: Administrivia #4883 Marc (Jan 13)
- Re: Administrivia #4883 Travis Siegel (Jan 13)
- [Fwd: Administrivia #4883] Blue Boar (Jan 13)
- Firewall-1 Logging *Issue* Mike Frantzen (Jan 13)
- Re: Firewall-1 Logging *Issue* Blue Boar (Jan 13)
- Re: Administrivia #4883 nascheme () ENME UCALGARY CA (Jan 14)
- Secure coding in C (was Re: Administrivia #4883) Bennett Todd (Jan 14)
- Re: Secure coding in C (was Re: Administrivia #4883) Marco Walther (Jan 14)
- Re: Secure coding in C (was Re: Administrivia #4883) Bennett Todd (Jan 14)
- Re: Secure coding in C (was Re: Administrivia #4883) Liviu Daia (Jan 14)
- Re: Secure coding in C (was Re: Administrivia #4883) spin0ff (Jan 16)
- ICQ >= 99* + CC Data (Was: Re: Administrivia #4883) Ken Williams (Jan 16)
- Re: ICQ >= 99* + CC Data Vanja Hrustic (Jan 16)
- Re: Secure coding in C (was Re: Administrivia #4883) Liviu Daia (Jan 16)
- Re: Secure coding in C (was Re: Administrivia #4883) Valery Dachev (Jan 17)
- Secure coding in C (was Re: Administrivia #4883) Bennett Todd (Jan 14)
- Re: Administrivia #4883 Marc (Jan 13)
- Netdetect.exe with backdoor? (ICQ) WolF Knox (Jan 15)
- Re: Netdetect.exe with backdoor? (ICQ) Brad Griffin (Jan 15)