[Techtalk] Theory vs. practice
Julie
jockgrrl at austin.rr.com
Wed Jan 16 00:59:21 EST 2002
Jenn Vesperman wrote:
>
> On Wed, 2002-01-16 at 13:22, Julie wrote:
>
> > What I think of as "security bugs" is code like this --
> >
> > if (stat (file, blah) == 0 && blah.st_uid == me)
> > chown (file, me, new_group);
> >
> > where the fact that there is a race between the stat and the
> > chown exists.
>
> Except that there -shouldn't- be a race condition, because the
> conditional should be evaluated before the chown. If the conditional
> hasn't been evaluated, the code doesn't know whether to do the chown or
> not.
Jeff already gave away the answer, but that's more of a "security
bug" than
char buf[1024];
char prefix[1024];
char suffix[1024];
gets (prefix);
gets (suffix);
strcat (strcpy (buf, prefix), suffix);
which is a pretty garden-variety way of (mis-) coding a buffer
overflow.
Years ago the attitude was "Well, if the user enters a string
=that= long they get what they deserve!".
The problem is that coders very seldom consider all of the
various assumptions they are making. For example "No one is
going to type a 1K string!". Okay, if that's what you're
assuming, test for it.
char buf[2048];
char prefix[1024];
char suffix[1024];
char *cp;
if (! fgets (prefix, sizeof prefix, stdin) ||
! (cp = strrchr (prefix, '\n')))
return -1;
*cp = '\0';
if (! fgets (suffix, sizeof suffix, stdin) ||
! (cp = strrchr (suffix, '\n')))
return -1;
*cp = '\0';
strcat (strcpy (buf, prefix), suffix);
Look Ma, no buffer overflows ...
(The answer to file name race conditions is open(), fstat(),
fchmod(), fchown(), etc.)
--
Julianne Frances Haugh Life is either a daring adventure
jockgrrl at austin.rr.com or nothing at all.
-- Helen Keller
More information about the Techtalk
mailing list