[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev (forw) Possible buffer overflows in Lynx?

From: T.E.Dickey
Subject: Re: lynx-dev (forw) Possible buffer overflows in Lynx?
Date: Tue, 29 Feb 100 14:58:21 -0500 (EST)

> On Mon, 28 Feb 100, T.E.Dickey wrote: 
> [kw:] 
> > > Sure there are buffer overflows.  Nobody has done a comprehensive audit.  
> >  
> > agreed (but we keep picking away at it). 
> Yes, and things are a lot better than some versions ago. 
> > > If one needs to put a bogus http_proxy like http://AAAAAAAAAAAAAAAAAAAA  
> >  
> > I thought we fixed the places reported in this - last summer. 
> Maybe I misunderstood what M. Zalewski meant. 

perhaps (but he said much the same thing last year - without examples such
as the one you show, I suspect he's just repeating himself).
> > > Fixed lenght buffers are still used in various places, without checking  
> > > always for overruns.  One place is HTTP.c, with things like  
> > >   sprintf(line, "Host: %s%c%c", host, CR,LF);  

this one's simple to fix (with a .* in the format).  I don't know why we
overlooked this module before (the files under src are a lot more work to
go through).

> > ok (always more to find). 
> Actually, I think this is the one he found w.r.t. proxies. 
> This would only happen if some form of proxy or gateway is used, 
> since otherwise impossibly long hostnames are already rejected in 
> valid_hostname(). 
> Other unchecked calls in HTTP.c involving 'line' (see 'language', 
> 'pref_charset') are less dangerous, since the information can come 
> only from lynx.cfg or .lynxrc or the Options screen (you get what you 
> deserve) not from any old Web page. 
> I suggest to just skip sending those headers if the contents would be too 
> long, rather than using malloc'ed strings everywhere.  It seems wasteful 

...and rather than truncate them?

> to add more malloc calls and slow down every access, just for handling 
> a potential overlong header correctly.  None of those headers are required 
> by the protocol anyway, and if the line doesn't fit in line[INIT_LINE_SIZE] 
> it is obviously bogus.  So there is no point to waste more network packets 
> for sending it. 
> > > One thing though: LY_MAXPATH may be way too small for some systems.  
> > > It is defined to 256 in HTUtils.h.  Shouldn't this match the system's  
> > > PATH_MAX (or MAXPATHLEN) (+ 1 ?) instead?   
> >  
> > PATH_MAX is technically a minimum - the system declares that it can support 
> > pathnames at least that long. 
> But should we use it? 

it's better than nothing (at least it highlights places in the code that
assume they're big enough to hold a pathname).
> It would be better to check all strcpy etc. calls that involve fixed 
> LY_MAXPATH buffers, but I think there are still a lot of them. 

there's a lot - but when I last went looking for problems, the ones I saw
were all copying from one buffer to another of the same size (it's the
ones I overlooked that I'm interested in, such as HTTP.c).
>           Klaus 

Thomas E. Dickey

reply via email to

[Prev in Thread] Current Thread [Next in Thread]