lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev (forw) Possible buffer overflows in Lynx?

From: T.E.Dickey
Subject: Re: lynx-dev (forw) Possible buffer overflows in Lynx?
Date: Mon, 28 Feb 100 21:06:50 -0500 (EST) 
> On Mon, 28 Feb 2000, Rob Partington wrote: 
>  
> >  
> > I'm a bit behind wrt Lynx development, sorry if this has already been 
> > dealt with.  Is this as bad as he claims? 
>  
> Sure there are buffer overflows.  Nobody has done a comprehensive audit. 

agreed (but we keep picking away at it).
  
> If one needs to put a bogus http_proxy like http://AAAAAAAAAAAAAAAAAAAA 
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[add a couple thousand more] in 

I thought we fixed the places reported in this - last summer.

> lynx.cfg in order to provoke them, I fail to see how that is a security 
> problem.  If you do that as the admin or user, you get what you deserve. 
> If some intruder has write access to lynx.cfg, you are already screwed. 
>  
> Fixed lenght buffers are still used in various places, without checking 
> always for overruns.  One place is HTTP.c, with things like 
>   sprintf(line, "Host: %s%c%c", host, CR,LF); 

ok (always more to find).
  
> As for "some overflows when viewing 'Information about current document' 
> and so on" - I don't know what they are.  LYShowInfo.c uses some fixed 
> length buffers, but AFAICS they are used (in a way that could be exploited) 
> only for local files, i.e., in dired mode.  One would have to browse a local 
> directory with impossibly long filenames to run into this. 
>  
> One thing though: LY_MAXPATH may be way too small for some systems. 
> It is defined to 256 in HTUtils.h.  Shouldn't this match the system's 
> PATH_MAX (or MAXPATHLEN) (+ 1 ?) instead?  

PATH_MAX is technically a minimum - the system declares that it can support
pathnames at least that long.
  
>     Klaus 
>  
> > ------- Forwarded Message 
> >  
> > Date:    Sun, 27 Feb 2000 16:30:03 +0100 
> > From:    Michal Zalewski <address@hidden> 
> > To:      address@hidden 
> > Subject: lynx - someone is deaf and blind ;) 
> >  
> [...] 
> > Similar problems are present for example when lynx is using proxy server 
> > (often sysadm puts proxy server settings in global lynx.cfg) - even in 
> > recent 2.8.3dev2x releases - http://AAA... or ftp://AAA... requests with 
> > over 2 kb of junk after protocol indentifier (instead of valid hostname) - 
> > 0x41414141 SEGV - old, good, exploitable overflow while preparing request 
> > for proxy server. AND MORE FOLLOWS - for example some overflows when 
> > viewing 'Information about current document' and so on, all related to 
> > extremely long URLs. 
> [...] 
>  


-- 
Thomas E. Dickey
address@hidden
http://www.clark.net/pub/dickey
reply via email to
[Prev in Thread] Current Thread [Next in Thread]