Re: qpopper2.52

[drow () FALSE ORG (Dan Jacobowitz)]

On Thu, Jul 02, 1998 at 12:51:50PM -0400, Alan J Rosenthal wrote:
> Are these limits in fact unnecessary, or have the qualcomm folks missed a few?
> (This file is the same in v2.52 -- got in this morning and started working on
> the 2.5 version before I saw last night's bugtraq mail... arggh)
>
> If these limits are indeed necessary, note that there's also a copy of this
> sprintf call on line 76.

Not to mention in pop_msg.c where this whole mess began.  The Qualcomm
folks have taken the approach of limiting the length of every string
passed to the dangerous functions, instead of bounds checking within
pop_log and pop_msg.  This is a dangerous thing to do in my opinion -
while they may indeed have caught every major problem, there could
possibly be unforseen circumstances where the strings passed to those
functions do get overlarge.  It would be a very reasonable safeguard to
add bounds checking to pop_log and pop_msg, and patches to do that have
already been posted to this list.

In fact, in the source code of 2.52 I see this:
[0] mars:~/qp/qpopper2.52$ grep sprintf *.c |wc -l
      34
By no means are all of these dangerous, but a slightly more useful
figure is:
[0] mars:~/qp/qpopper2.52$ grep sprintf *.c |grep '%s'|wc -l
      18

Eighteen places where strings are pushed into fixed length buffers.  If
they have missed even one....

Daniel Jacobowitz
---------------------------------------------------------------------------
drow () false org                                               dan () debian org