Re: security vulnerability in glibc's strfry()

bug-glibc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security vulnerability in glibc's strfry()

From:	wmglo
Subject:	Re: security vulnerability in glibc's strfry()
Date:	18 Jul 2003 13:57:07 -0000

> Description:  An exploitable buffer overflow condition exists in The GNU
> Projects GNU C Library (glibc) strfry(3) function. 
> 
> The vulnerability exists specifically because the strfry(3) function
> does not take into account that the supplied argument string may not be
> null terminated.

Is this a joke?  A "string" in C _is_ null-terminated, period.  _All_
the str... functions require null-terminated strings unless stated
otherwise.  If strfry would work with non-terminated buffers, it would
be called memfry (and would obviously need a size argument).

> Workaround:  Applications requiring the usage of strfry(3) should ensure
> that strings passed to strfry(3) are NULL terminated. Example: 
> 
> buffer[sizeof(buffer) - 1] = "\0";
> strfry(buffer);  

Yeah, right.  Hint: this should't even compile, and if it would, you'd
have a massive bug.

Regards,
Wolfram.

[Prev in Thread]

Current Thread

[Next in Thread]

security vulnerability in glibc's strfry(), David Endler, 2003/07/17
- Re: security vulnerability in glibc's strfry(), wmglo <=

Prev by Date: attenzione all'imitazione
Next by Date: glibc-2.2.3, glibc-2.3.2: `getlogin' resets `usec' part of the itimer interval
Previous by thread: security vulnerability in glibc's strfry()
Next by thread: Problems Building glibc-2.3.2
Index(es):
- Date
- Thread