Secure Coding mailing list archives

Re: New Microsoft Security Tool for developers

From: Dave Aronson <securecoding () dja mailme org>
Date: Tue, 16 Dec 2003 00:55:24 +0000

Gene Spafford pointed out that noOverflow could be passed a pointer to a 
string that was *shorter* than the internal buffer.  He did not state 
specifically what was so bad about this, but I presumed that his point 
was the one later raised by Jannie Hanekom: that there could be 
information leakage from just past str, into buffer.  (Also possibly 
that that chunk of memory might be protected, in various ways that 
would crash the program.)  Spaf, is this indeed what you meant?

Jannie erroneously stated that strncpy always copies the maximum size.  
Many of you pointed out that this is not true, since strncpy will stop 
copying after the first zero byte.  So far so good.

BUT... what if there *is no* zero byte, at least on the string initially 
passed?  Then, strncpy will happily continue copying, up to the maximum 
size, leaking info just as Jannie said.  Example, modifying Spaf's:

main()
{
   char fbuf[2];
   char password[8] = "secret";

   fbuf[0] = 'x';
   fbuf[1] = 'y';

   noOverflow(fbuf);
}

void noOverflow(char *str)
{
    char buffer[10];
    strncpy(buffer,str,(sizeof(buffer)-1));
    buffer[(sizeof(buffer)-1)]=0;
   /* Avoiding buffer overflow with the above two lines */
    printf ("%s\n", buffer);
}

Assuming that, in actual storage, password does indeed immediately 
follow fbuf, this would print xysecret.  Of course, this could chain 
more than just two char-buffers (or any other kind of data), until the 
maximum size or a zero byte.

Spaf also suggested rewriting noOverflow to include a parameter for the 
buffer size.  That would help prevent accidental misuse -- but 
malicious abusers could still pass in a bad buffer size.

(BTW, I'm feeling caught in a bit of a timewarp.  Last time I followed 
up to something spaf posted was about 20 years ago....)

-- 
Dave Aronson, Senior Software Engineer, Secure Software Inc.
(Opinions above NOT those of securesw.com unless so stated!)
Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org
Web: http://destined.to/program http://listen.to/davearonson

Current thread:

Re: New Microsoft Security Tool for developers, (continued)
- - Re: New Microsoft Security Tool for developers Mark Graff (Dec 13)
- RE: New Microsoft Security Tool for developers Jannie Hanekom (Dec 14)
  - Re: New Microsoft Security Tool for developers der Mouse (Dec 15)
  - Re: New Microsoft Security Tool for developers Dana Epp (Dec 15)
    - Re: New Microsoft Security Tool for developers Crispin Cowan (Dec 15)
    - Re: New Microsoft Security Tool for developers Dana Epp (Dec 15)
    - RE: New Microsoft Security Tool for developers Örjan Petersson (Dec 16)
    - strncpy (was: Re: New Microsoft Security Tool for developers) David A. Wheeler (Dec 16)
    - Re: strncpy (was: Re: New Microsoft Security Tool for developers) Florian Weimer (Dec 17)
  - RE: New Microsoft Security Tool for developers Örjan Petersson (Dec 15)
    - Re: New Microsoft Security Tool for developers Dave Aronson (Dec 15)
    - Re: New Microsoft Security Tool for developers Gene Spafford (Dec 17)
- Re: New Microsoft Security Tool for developers Erik Anderson (Dec 16)
  - Re: New Microsoft Security Tool for developers Mikey (Dec 17)
- Re: New Microsoft Security Tool for developers Erik Anderson (Dec 16)