[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
lynx-dev buffer overflow?
From: |
Mike Castle |
Subject: |
lynx-dev buffer overflow? |
Date: |
Thu, 30 Jul 1998 23:11:31 -0500 (CDT) |
In looking at the DISPLAY stuff in LYOptions, I'm wondering is lynx is
suseptible to a buffer over flow in a particular spot (I'm sure there are
several, but we should work to eliminate them as we see them, right?).
First, in LYOptions.c, there are two buffers: display_option[250] and
putenv_command[142].
When the user hit's [dD] to change the display, LYgetstr is called against
display_option and sizeof(display_option).
This value is then sprintf()'d into putenv_command for use in a putenv()
call. And the sprintf() call has no bounds on it.
Now, I suspect that the security of this is not too severe. After all,
LYgetstr will limit the character input to 250, printable character, so it
would be tough for a hacker to overflow stack and put values there and gain
access. But at worst, it could affect the stability of the program.
I'm not sure which would be a more correct fix:
* Modify the call to LYgetstr to use
(sizeof(putenv_command)-(strlen(DISPLAY)+2)) instead of
sizeof(display_option) (+2 for both \0 and =)
* Modify sprintf() to use %130s instead of %s
Comments?
mrc
--
Mike Castle Life is like a clock: You can work constantly
address@hidden and be right all the time, or not work at all
www.netcom.com/~dalgoda/ and be right at least twice a day. -- mrc
We are all of us living in the shadow of Manhattan. -- Watchmen
- lynx-dev buffer overflow?,
Mike Castle <=