On Thu, Jul 02, 1998 at 12:51:50PM -0400, Alan J Rosenthal wrote: > Are these limits in fact unnecessary, or have the qualcomm folks missed a few? > (This file is the same in v2.52 -- got in this morning and started working on > the 2.5 version before I saw last night's bugtraq mail... arggh) > > If these limits are indeed necessary, note that there's also a copy of this > sprintf call on line 76. Not to mention in pop_msg.c where this whole mess began. The Qualcomm folks have taken the approach of limiting the length of every string passed to the dangerous functions, instead of bounds checking within pop_log and pop_msg. This is a dangerous thing to do in my opinion - while they may indeed have caught every major problem, there could possibly be unforseen circumstances where the strings passed to those functions do get overlarge. It would be a very reasonable safeguard to add bounds checking to pop_log and pop_msg, and patches to do that have already been posted to this list. In fact, in the source code of 2.52 I see this: [0] mars:~/qp/qpopper2.52$ grep sprintf *.c |wc -l 34 By no means are all of these dangerous, but a slightly more useful figure is: [0] mars:~/qp/qpopper2.52$ grep sprintf *.c |grep '%s'|wc -l 18 Eighteen places where strings are pushed into fixed length buffers. If they have missed even one.... Daniel Jacobowitz --------------------------------------------------------------------------- drowat_private danat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:01:53 PDT