<<< Date Index >>>     <<< Thread Index >>>

Re: Unchecked sprintf/strcat?



* Mon May 29 2006 Rocco Rutte <pdmef@xxxxxxx>
> * TAKAHASHI Tamotsu [06-05-29 22:31:12 +0900] wrote:
> >* mon may 29 2006 thomas roessler <roessler@xxxxxxxxxxxxxxxxxx>
> >>return an int like in snprintf if all you want to do is know
> >>more about how much safe_strfcat copied.  if you want to be
> >>able to use the result of safe_strfcat in other string
> >>operations, return a pointer to the destination string.
> 
> >Good. I can simply use OpenBSD's strlcat.
> >(That needs a few lines in configure.ac.)
> >Anyway, the current code doesn't use the return value at all.
> 
> That's a bad idea due to a license clash.

Oh I thought BSD code can be used in a GPL software like mutt.
Thanks for correcting me.

> I honor your effort of making mutt more secure/robust with the arbitrary 
> input we get... but: can you summarize in a short sentence what is wrong 
> with the current code?

Three not-so-dangerous problems:
0) Some sprintf/strcat/strcpy are not marked as /* __XXX_CHECKED__ */.
1) Simple miscalculation about sizeof(helpstr), while they are CHECKED.
|  mutt_make_help (buf, sizeof (buf), _("Exit  "), menu_to_use, OP_EXIT);
|  strcat (helpstr, buf);       /* __STRCAT_CHECKED__ */
2) Silent truncation like bug #2205.


> In some edge cases, our buffer sizes may be too small and we get 
> truncation which may lead to more unexpected results. Which is bad, I 
> agree. But I doubt it'll be worth it to check every single call of 
> string operations...

Not for all the calls, but only for mutt_system() and IMAP/POP3 commands.

-- 
tamo