[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev (forw) Possible buffer overflows in Lynx?
From: |
Klaus Weide |
Subject: |
Re: lynx-dev (forw) Possible buffer overflows in Lynx? |
Date: |
Tue, 29 Feb 2000 14:25:48 -0600 (CST) |
> > > > Fixed lenght buffers are still used in various places, without checking
> > > >
> > > > always for overruns. One place is HTTP.c, with things like
> > > > sprintf(line, "Host: %s%c%c", host, CR,LF);
>
On Tue, 29 Feb 100, T.E.Dickey wrote:
> this one's simple to fix (with a .* in the format). I don't know why we
> overlooked this module before (the files under src are a lot more work to
> go through).
I am also suspicious about some protocols under WWW (like finger,
WAIS, ...). Not that I have anything concrete, just because they are
rarely used they could easily slip by attention.
> > Other unchecked calls in HTTP.c involving 'line' (see 'language',
> > 'pref_charset') are less dangerous, since the information can come
> > only from lynx.cfg or .lynxrc or the Options screen (you get what you
> > deserve) not from any old Web page.
> >
> > I suggest to just skip sending those headers if the contents would be too
> > long, rather than using malloc'ed strings everywhere. It seems wasteful
>
> ...and rather than truncate them?
In this case, yes - truncating may make something valid-but-wrong out of
something invalid. If it's garbage, just drop it; and why burden a proxy
with processing multiple garbage headers instead of just a garbage URL.
Not that it's very important.
> > > PATH_MAX is technically a minimum - the system declares that it can
> > > support
> > > pathnames at least that long.
> >
> > But should we use it?
>
> it's better than nothing (at least it highlights places in the code that
> assume they're big enough to hold a pathname).
One downside is that it wastes more memory space for those buffers.
Another is that it may just further hide a problem (M. Zalewski needs
to use 'A' x 8000 instead of 'A' x 1024, or something...)
Maybe one should test what happens with an artificially small LY_MAXPATH,
like 20 or 30, and then do some browsing.
Klaus