[PATCH] Re: Possible Vulnerability in httpd.c
Simon Rettberg
simon.rettberg at rz.uni-freiburg.de
Mon Nov 21 19:18:31 UTC 2016
On Mon, 21 Nov 2016 20:37:14 +0200
Timo Teras <timo.teras at iki.fi> wrote:
>
> It is still good practice to fill it with snprintf. If this is done,
> proper error checking should be done to check the final 'len' that it
> does not exceed IOBUF_SIZE or you have information leak bug (since
> snprintf returns the length it would generate if buffer was unbounded;
> not the length it actually wrote to the buffer).
>
Exactly. It typically goes like this: Someone is using functions generally
considered "unsafe" because they know for sure it is not exploitable the way
it's being used in this specific instance. Then eventually someone else comes
along, adds feature X using unsafe functions as well (you try to do it the same
way the rest is written, right?), and boom, you suddenly got your exploit
because X happens to enable the remote user to inject arbitrarily long data
(think some %s the user can control).
It should be fixed properly, handling the case where the return value is either
> BUFSIZ or even < 0. As a compromise, something like xsnprintf would do (if we
don't have it already; not currently able to easily grep busybox). Potential
termination is still better than potential exploitability.
(...or just ignore old IE and write to the fd repeatedly...)
- Simon
More information about the busybox
mailing list