Subject: Re: buffer overflows in libsa
To: Roland Illig <rillig@NetBSD.org>
From: David Laight <firstname.lastname@example.org>
Date: 08/23/2005 18:13:17
On Tue, Aug 23, 2005 at 10:47:22AM +0200, Roland Illig wrote:
> matthew green wrote:
> >one thing to be wary of is bloating the bootblocks. all the
> >proposed changes increase the size of text...
> As soon as no-one needs it, the gets(3) function will be removed from
> libsa. This will reduce the test size again. I think the effective
> increase will be around less than 20 machine instructions. But that's
> the price for not having buffer overflows. ;)
And might be enough to take one of the boot loaders over the limit.
I, for one (at least), am not really bothered whether there are
buffer overflow possibilities in the boot code - especially any
relating to (excessively incorrect) keyboard input.
Remember crashing the system only really leaves you back where you are.
There is no DoS attack here.
The boot code is also likely to make other assumptions (eg that malloc
doesn't fail) because the only action on failure is to abort the boot
David Laight: email@example.com