Hosting Provided By

netstrings example vulnerable

From: Timo Sirainen <tss(at)iki.fi>
Date: Tue May 27 2003 - 21:03:58 EDT

http://cr.yp.to/proto/netstrings.txt

I didn't find any real code that actually did it like in the example, but I think it's worth mentioning since that page still gets referenced once in a while. I just noticed it in some recent oreilly article about safe string handling.

It's been there for over 6 years unnoticed, so rather than just telling you what's wrong, I think it would make a pretty interesting vulndev-challenge. Much harder than the previous ones anyway :)

So, here's the code, just assume sane variables etc. (and no, the problem isn't that you can allocate a gigabyte of memory):

      if (scanf("%9lu",&len) < 1) barf();  /* >999999999 bytes is bad */
      if (getchar() != ':') barf();
      buf = malloc(len + 1);       /* malloc(0) is not portable */
      if (!buf) barf();
      if (fread(buf,1,len,stdin) < len) barf();
      if (getchar() != ',') barf();

So not all code djb has ever written is secure :)

Oh, and djb knows about this now, didn't say if he's going to bother updating the page. Received on Fri May 30 17:41:46 2003

This message: [ Message body ]
Next message: 3APA3A: "Windows XP SP1 gethostbyaddr() flow (Re[3]: mirc32 6.0x crash when resolving dns.)"
Previous message: gr00vy: "Need help with polymorph"
Next in thread: Joel Eriksson: "Re: netstrings example vulnerable"
Reply: Joel Eriksson: "Re: netstrings example vulnerable"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:39 EDT