http://cr.yp.to/proto/netstrings.txt I didn't find any real code that actually did it like in the example, but I think it's worth mentioning since that page still gets referenced once in a while. I just noticed it in some recent oreilly article about safe string handling. It's been there for over 6 years unnoticed, so rather than just telling you what's wrong, I think it would make a pretty interesting vulndev-challenge. Much harder than the previous ones anyway :) So, here's the code, just assume sane variables etc. (and no, the problem isn't that you can allocate a gigabyte of memory): if (scanf("%9lu",&len) < 1) barf(); /* >999999999 bytes is bad */ if (getchar() != ':') barf(); buf = malloc(len + 1); /* malloc(0) is not portable */ if (!buf) barf(); if (fread(buf,1,len,stdin) < len) barf(); if (getchar() != ',') barf(); So not all code djb has ever written is secure :) Oh, and djb knows about this now, didn't say if he's going to bother updating the page.
This archive was generated by hypermail 2b30 : Fri May 30 2003 - 14:34:41 PDT