On Fri, Sep 05, 2003 at 04:47:30PM +0200, Frank Lichtenheld wrote: > Hi. Hello :)
> It was un/undermaintained a long time and has no separate upstream. > While looking in the code to fix some outstanding bugs I found > several code pieces like > > char path[256]; > sprintf( path, "some string/%s", packagename); > > There are no further checks as I can see. I'm not very experienced in C > programming and don't know much about the details of exploiting buffer > overflows or the like... of course it's a security problem, because passing packagename longer then 256 bytes can lead into buffer overflow. If you want to read more about BO and see how they works read "Smashing stack for fun and profit". To avoid this you should use function like strncpy(), or insert between those two lines something like if(strlen(packagename)>255) exit(EXIT_FAILURE); > Is such code (away from the fact that it can easily lead to segfaults) a > security problem? > > Thanks, > -- > Frank Lichtenheld <[EMAIL PROTECTED]> -- Michael "carstein" Melewski | "Nikt nie mówił, że nie [EMAIL PROTECTED] | będzie bolało..." mobile: 502 545 913 | -- Łukasz Wielebski o postępie gpg: carstein.c.pl/carstein.txt | prac nad projektem Prokartel.
