Subject: Re: strl{cpy,cat} into libkern
To: None <tech-kern@netbsd.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-kern
Date: 05/15/2003 05:31:20
>> strcpy(ioctl_reply->msg, "no additional drives found");
>> This relies on knowing that ioctl_reply->msg is much bigger than any
>> normal text, of course.
And is therefore dangerous, because if the message is lengthened, it
depends on a human noticing that the code makes that assumption and
checking the new message against the size of the buffer. (And humans
checking string lengths against buffer sizes is always dangerous. Let
the computer do the counting; it's better at it.)
I just recently made a similar mistake: I encoded data into a buffer
with no bounds checking, just "knowing" the buffer was big enough.
Except I sized the buffer before the encoding was cast in stone, and
under the final encoding scheme, the buffer sometimes _wasn't_ big
enough.
Fortunately it was not under sufficient user control to be exploitable
like a standard buffer overrun and was not security-critical code
anyway (obviously, in view of that, not in the kernel).
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B