lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

lynx-dev buffer overflow?


From: Mike Castle
Subject: lynx-dev buffer overflow?
Date: Thu, 30 Jul 1998 23:11:31 -0500 (CDT)

In looking at the DISPLAY stuff in LYOptions, I'm wondering is lynx is
suseptible to a buffer over flow in a particular spot (I'm sure there are
several, but we should work to eliminate them as we see them, right?).

First, in LYOptions.c, there are two buffers:  display_option[250] and
putenv_command[142].

When the user hit's [dD] to change the display, LYgetstr is called against
display_option and sizeof(display_option).

This value is then sprintf()'d into putenv_command for use in a putenv()
call.  And the sprintf() call has no bounds on it.

Now, I suspect that the security of this is not too severe.  After all,
LYgetstr will limit the character input to 250, printable character, so it
would be tough for a hacker to overflow stack and put values there and gain
access.  But at worst, it could affect the stability of the program.

I'm not sure which would be a more correct fix:
* Modify the call to LYgetstr to use 
  (sizeof(putenv_command)-(strlen(DISPLAY)+2)) instead of
  sizeof(display_option)  (+2 for both \0 and =)

* Modify sprintf() to use %130s instead of %s

Comments?

mrc
-- 
       Mike Castle       Life is like a clock:  You can work constantly
  address@hidden  and be right all the time, or not work at all
www.netcom.com/~dalgoda/ and be right at least twice a day.  -- mrc
    We are all of us living in the shadow of Manhattan.  -- Watchmen

reply via email to

[Prev in Thread] Current Thread [Next in Thread]