On Thu, Jul 02, 1998 at 12:51:50PM -0400, Alan J Rosenthal wrote:
> Are these limits in fact unnecessary, or have the qualcomm folks missed a few?
> (This file is the same in v2.52 -- got in this morning and started working on
> the 2.5 version before I saw last night's bugtraq mail... arggh)
>
> If these limits are indeed necessary, note that there's also a copy of this
> sprintf call on line 76.
Not to mention in pop_msg.c where this whole mess began. The Qualcomm
folks have taken the approach of limiting the length of every string
passed to the dangerous functions, instead of bounds checking within
pop_log and pop_msg. This is a dangerous thing to do in my opinion -
while they may indeed have caught every major problem, there could
possibly be unforseen circumstances where the strings passed to those
functions do get overlarge. It would be a very reasonable safeguard to
add bounds checking to pop_log and pop_msg, and patches to do that have
already been posted to this list.
In fact, in the source code of 2.52 I see this:
[0] mars:~/qp/qpopper2.52$ grep sprintf *.c |wc -l
34
By no means are all of these dangerous, but a slightly more useful
figure is:
[0] mars:~/qp/qpopper2.52$ grep sprintf *.c |grep '%s'|wc -l
18
Eighteen places where strings are pushed into fixed length buffers. If
they have missed even one....
Daniel Jacobowitz
---------------------------------------------------------------------------
drowat_private danat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:01:53 PDT