Re: Are bad developer libraries the problem with M$ software?

Hi all,

>

Another thing to use is consistency, for example,

char dst[50];
strncpy(dst, user_supplied_data, sizeof(dst)); strncat(dst, sizeof(dst) - strlen(dst) -1, moreuserdata);

This could be exploitable if user_supplied_data is 50 or more bytes long.

In specific,

50 - 50 - 1 == -1

Since strncat's len parameter is size_t (which is unsigned), strncat is willing to append _way_ to many bytes. IIRC, some fingerd's had this problem (possibly some identd, *shrug*).

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Similar things can be done to snprintf and so on. A wrapper around those   library calls could be used to check if its unsigned (and wouldn't have that much drawback, because I can't think of anything that'd do a  >2G string operation normally), by using int as opposed to size_t.

I guess this comes to the class of integer over/under flows now :)

Sincerely,
Andrew Griffiths Received on Tue Nov 19 15:28:57 2002