Re: Unchecked sprintf/strcat?
* Mon May 29 2006 Rocco Rutte <pdmef@xxxxxxx>
> * TAKAHASHI Tamotsu [06-05-29 22:31:12 +0900] wrote:
> >* mon may 29 2006 thomas roessler <roessler@xxxxxxxxxxxxxxxxxx>
> >>return an int like in snprintf if all you want to do is know
> >>more about how much safe_strfcat copied. if you want to be
> >>able to use the result of safe_strfcat in other string
> >>operations, return a pointer to the destination string.
>
> >Good. I can simply use OpenBSD's strlcat.
> >(That needs a few lines in configure.ac.)
> >Anyway, the current code doesn't use the return value at all.
>
> That's a bad idea due to a license clash.
Oh I thought BSD code can be used in a GPL software like mutt.
Thanks for correcting me.
> I honor your effort of making mutt more secure/robust with the arbitrary
> input we get... but: can you summarize in a short sentence what is wrong
> with the current code?
Three not-so-dangerous problems:
0) Some sprintf/strcat/strcpy are not marked as /* __XXX_CHECKED__ */.
1) Simple miscalculation about sizeof(helpstr), while they are CHECKED.
| mutt_make_help (buf, sizeof (buf), _("Exit "), menu_to_use, OP_EXIT);
| strcat (helpstr, buf); /* __STRCAT_CHECKED__ */
2) Silent truncation like bug #2205.
> In some edge cases, our buffer sizes may be too small and we get
> truncation which may lead to more unexpected results. Which is bad, I
> agree. But I doubt it'll be worth it to check every single call of
> string operations...
Not for all the calls, but only for mutt_system() and IMAP/POP3 commands.
--
tamo