On 07/27/2018 12:48 AM, Bernd Edlinger wrote:
> I have one more example similar to PR86259, that resembles IMHO real world
> code:
>
> Consider the following:
>
>
> int fun (char *p)
> {
> char buf[16];
>
> assert(strlen(p) < 4); //here: security relevant check
>
> sprintf(buf, "echo %s - %s", p, p); //here: security relevant code
> return system(buf);
> }
>
>
> What is wrong with the assertion?
>
> Nothing, except it is removed, when this function is called from untrusted
> code:
>
> untrused_fun ()
> {
> char b[2] = "ab";
> fun(b);
> }
>
> !!!! don't try to execute that: after "ab" there can be "; rm -rF / ;" on
> your stack!!!!
But this code is fundamentally broken and catering to this kind of crap
is well, dumb. At the point where we call strlen we've invoked
undefined behavior.
These aren't security checks in my mind, they're bandaids for idiot code
and are not suitable justification for making any changes for how we
generate code in GCC.
You could use them as an argument for improving warnings though.
Jeff
