OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 1st quarter (Jan-Mar) 1995: Re: NCSA httpd 1.3

Re: NCSA httpd 1.3

Dan Thorson (Dan_Thorsonnotes.seagate.com)
24 Feb 95 8:31:02 EDT 

I've been thinking about many of the latest security holes, specifically those 
having to do with overrunning char strings.  We know one rule:
    Never use sprintf(dest, fmt, ...), strcpy(dest, src), etc, as they do no
    checking on the max length of "dest"
However, perhaps another rule:
    Avoid using strncat(dest, src, n) or strncpy(dest, src, n), etc, as they
    _also_ do no checking on the max length of "dest", although 'n' can be
    properly calculated & make them safe.

Perhaps, instead, it's time to write a new series of string manipulators....
ones that do the following:
1)  Behave similarly to the existing functions (like sprintf(), strncat(),
    strncpy(), but take an additional argument "destlen", which is (of course)
    the max length of the destination string.
2)  Do the string-function, but if the "dest" string will be overrun, return an
    error code AND post to the syslog function.

I could see a couple of advantages.
o) We could "grep" all our mission-critical code for the "offensive" functions,
   and replace them.
o) If anything shows up in the syslog(), it'd be due to either malicious
   behavior, or bad coding, either of which I know _I'd_ want to know about.

This doesn't see like it'd be too hard.  Anybody got the time?  I'd think anyone
writing code that'll live where badguys live would want to take the time.  ANY
suid program should use them.

My opinion.  Nobody else wants it.

Dan Thorson (DT35)
(612) 844-5738
dan_thorsonnotes.seagate.com                        postmasterseagate.com
thorsonmr.net                                       
postmasternotes.seagate.com