[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: security vulnerability in glibc's strfry()
From: |
wmglo |
Subject: |
Re: security vulnerability in glibc's strfry() |
Date: |
18 Jul 2003 13:57:07 -0000 |
> Description: An exploitable buffer overflow condition exists in The GNU
> Projects GNU C Library (glibc) strfry(3) function.
>
> The vulnerability exists specifically because the strfry(3) function
> does not take into account that the supplied argument string may not be
> null terminated.
Is this a joke? A "string" in C _is_ null-terminated, period. _All_
the str... functions require null-terminated strings unless stated
otherwise. If strfry would work with non-terminated buffers, it would
be called memfry (and would obviously need a size argument).
> Workaround: Applications requiring the usage of strfry(3) should ensure
> that strings passed to strfry(3) are NULL terminated. Example:
>
> buffer[sizeof(buffer) - 1] = "\0";
> strfry(buffer);
Yeah, right. Hint: this should't even compile, and if it would, you'd
have a massive bug.
Regards,
Wolfram.