Re: CPSN 4-970424: Possible buffer overflow in pop3d

Andy Church (achurch@DRAGONFIRE.NET)
Mon, 28 Apr 1997 11:23:54 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Joe Zbiciak: "Possibly exploitable buffer overflow in Solaris 2.5.1 ps"
Previous message: Johannes Erdfelt: "Re: CPSN 4-970424: Possible buffer overflow in pop3d"

> FUNCTION: svr_auth(state,inbuf), has the "offending" line:
> strcpy(cli_user,inbuf);
> BUT: svr_auth is called from MAIN with:
> svr_state = svr_auth(svr_state,cli_buf);
> where cli_buf is read previously from stdin with:
> if (fgetl(cli_buf,CLI_BUFSIZ,stdin) == NULL)
>
>Now this machine doesn't have a manpage for "fgetl"

It's a custom routine (see util.c) which reads a line of text from a
file and discards all but the first `len'-1 bytes (CLI_BUFSIZ-1 in this
case).

>but, from the arguments, it looks like it will check the length...

Indeed it will; therefore, _the strcpy() is safe_. However, as a
general rule, I always comment strcpy() or similar calls with an
explanation of why the call is safe in order to prevent confusion such as
this.

This just goes to show that strcpy() isn't _always_ a security hole...

--Andy Church | If Bell Atlantic really is the heart
achurch@dragonfire.net | of communication, then it desperately
www.dragonfire.net/~achurch/ | needs a quadruple bypass.

Next message: Joe Zbiciak: "Possibly exploitable buffer overflow in Solaris 2.5.1 ps"
Previous message: Johannes Erdfelt: "Re: CPSN 4-970424: Possible buffer overflow in pop3d"