lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev (forw) Possible buffer overflows in Lynx?

From: Klaus Weide
Subject: Re: lynx-dev (forw) Possible buffer overflows in Lynx?
Date: Mon, 28 Feb 2000 13:51:18 -0600 (CST) 
On Mon, 28 Feb 2000, Rob Partington wrote:

> 
> I'm a bit behind wrt Lynx development, sorry if this has already been
> dealt with.  Is this as bad as he claims?

Sure there are buffer overflows.  Nobody has done a comprehensive audit.

If one needs to put a bogus http_proxy like http://AAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[add a couple thousand more] in
lynx.cfg in order to provoke them, I fail to see how that is a security
problem.  If you do that as the admin or user, you get what you deserve.
If some intruder has write access to lynx.cfg, you are already screwed.

Fixed lenght buffers are still used in various places, without checking
always for overruns.  One place is HTTP.c, with things like
  sprintf(line, "Host: %s%c%c", host, CR,LF);

As for "some overflows when viewing 'Information about current document'
and so on" - I don't know what they are.  LYShowInfo.c uses some fixed
length buffers, but AFAICS they are used (in a way that could be exploited)
only for local files, i.e., in dired mode.  One would have to browse a local
directory with impossibly long filenames to run into this.

One thing though: LY_MAXPATH may be way too small for some systems.
It is defined to 256 in HTUtils.h.  Shouldn't this match the system's
PATH_MAX (or MAXPATHLEN) (+ 1 ?) instead? 

    Klaus

> ------- Forwarded Message
> 
> Date:    Sun, 27 Feb 2000 16:30:03 +0100
> From:    Michal Zalewski <address@hidden>
> To:      address@hidden
> Subject: lynx - someone is deaf and blind ;)
> 
[...]
> Similar problems are present for example when lynx is using proxy server
> (often sysadm puts proxy server settings in global lynx.cfg) - even in
> recent 2.8.3dev2x releases - http://AAA... or ftp://AAA... requests with
> over 2 kb of junk after protocol indentifier (instead of valid hostname) -
> 0x41414141 SEGV - old, good, exploitable overflow while preparing request
> for proxy server. AND MORE FOLLOWS - for example some overflows when
> viewing 'Information about current document' and so on, all related to
> extremely long URLs.
[...]
reply via email to
[Prev in Thread] Current Thread [Next in Thread]