httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject Re: and now back to snprintf (fwd)
Date Thu, 16 Jan 1997 02:03:25 GMT
My suggestion is that we have TWO alternatives (ie. built in snprintf() 
and one that we provide) and if they BOTH can not be used on a platform
AND someone makes the decision THEMSELF that they are willing to take the
risk of using sprintf, then we should make it possible for them to do so
reasonably nicely.  I do not advocate making a half-hearted attempt at
snprintf() so we can hold it up and say "look, it isn't our fault" but I
do advocate not burning the bridges behind us when the next one may not be
built for some people.  (hows that for a silly analogy?) 

I do NOT support making the recommended solution simply another "aww, this
buffer should be big enough for anything" solution.  Remember, that's what
got us in trouble in the first place.  Unless you can manage to find a
magic way to allocate your buffer at the very end of memory all the time,
you are just switching one buffer for another.  Sure, the buffer is a bit
bigger but all that does is make it a little harder to exploit.  It
doesn't fix it.  

WRT your claim you can safely abort if there is an overflow: if you are
able to exploit it, it is possible that the exploit would go into play
when sprintf() does its return() depending on how they do it (ie. if they
do something like overwriting the eip/pc/whatever your platform calls it). 
If that happens, you will never GET to your abort. 

Luckily, right now MOST of the input is limited to 8k by the read
routines.  You can't rely on this, because there are other ways of
getting input to the server, sometimes multiple user-input bits of data
are concatenated, and that 8k limit may not be there forever.

On Wed, 15 Jan 1997, Jim Jagielski wrote:

> Marc Slemko wrote:
> > 
> > On Wed, 15 Jan 1997, Jim Jagielski wrote:
> > 
> > > Marc Slemko wrote:
> > > > 
> > > > Cough.
> > > > 
> > > > I don't see how this works.  Either you have to allocate an array of
> > > > infinite length or you have to parse and modify the format string, no?
> > > 
> > > Here's what I do.
> > > 
> > > 	char temp[20480];
> > > 	written = sprintf(temp, ......)
> > > 
> > > I then check to see if written > 20480 and if so generate an
> > > error just in case. I then do a min of written and the len
> > > parameter to snprintf() and copy from temp to the actual
> > > buffer. I clear out temp[], just in case as well and return.
> > 
> > Ugh.  Double ugh.  Triple ugh.
> > 
> > I just plain don't like it.
> > 
> I fail to see how you feel all fine and dandy about just a stupid
> wrapper yet Ugh away with a wrapper that at least attempts to
> let the WebAdmin know what's going on and allows for abort() for
> the paranoid.
> -- 
> ====================================================================
>       Jim Jagielski            |       jaguNET Access Services
>           |
>                   "Not the Craw... the CRAW!"

View raw message