On Mon, Sep 05, 2016 at 10:32:40AM -0500, Derek Martin wrote: > Is strfcpy() widely available?
Ah, now I see that strfcpy() is a Mutt-specific macro that intends to
make strncpy() safer. I was actually thinking of strlcpy(), which is
equivalent to Mutt's strfcpy(); but it does not matter. ALL of these
functions suffer from the same affliction: If dest is too small, they
all silently lose data on copy.
There are approximately 360 such calls to strfcpy() in Mut's code; if
any of these calls are used in such a way that data loss is sensitive,
it could result in a security exploit. It would require an audit.
Maybe there's an easier way to deal with that problem that's still
reasonable:
#include <assert.h>
int safe_strncpy(char *dest, char *src, size_t size)
{
return snprintf(dest, size, "%s", src);
}
/* guard against silent data loss on string copy */
#define strfcpy(A,B,C) { int rc = safe_strcpy(A,B,C); assert(rc >= 0 && rc <
(C)); }
The abort on failure is annoying, but better than a potential security
hole caused by silently truncating sensitive data, and the abort
mostly shouldn't ever happen. But Mutt already uses assert() fairly
liberally, and if there ARE bugs that trigger this, the above will
make them easy to identify and fix. =8^)
--
Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address. Replying to it will result in
undeliverable mail due to spam prevention. Sorry for the inconvenience.
pgpcHzfftMGnA.pgp
Description: PGP signature
