From mboxrd@z Thu Jan 1 00:00:00 1970 References: <03dd9a6798effc7cf713d579f6bbc0e6@isd.dp.ua> <636BFA64-E5C9-417C-AD9E-E6BCEAACB02B@gmail.com> <51AF3F6A.8000605@gmx.de> From: Don Bailey Content-Type: text/plain; charset=us-ascii In-Reply-To: <51AF3F6A.8000605@gmx.de> Message-Id: Date: Wed, 5 Jun 2013 07:54:50 -0600 To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (1.0) Subject: Re: [9fans] lpdaemon Topicbox-Message-UUID: 63b7a5ae-ead8-11e9-9d60-3106f5b1d025 You're absolutely correct if the length of value to be copied is not validat= ed prior to the copy. Then, an invalid page could be hit if no nil is presen= t within the array or beyond. I wasn't providing a verbatim patch (notice the function and operator weren'= t filled in). I was just providing the sequence of events that should occur.= Eric points out correctly that strncpy effectively performs the first opera= tion on the user's behalf. The second is achieved through the write to N. To be verbose, my bypassing of strncpy is due to issues I've encountered in m= ulti-threaded code. e.g. Don't trust libc copy functions in MT envs, always c= heck post call. An interesting and sometimes desirable effect of crashing on an invalid page= read is that if memory can be corrupted, a consistent unexploitable crash i= s better than entering a context where the bug becomes exploitable. D On Jun 5, 2013, at 7:38 AM, Friedrich Psiorz wrote: > I think your code is wrong. If the NUL byte is present, it doesn't do > anything, however if it is not there, strlen will read more than it > should, and possibly try to read some invalid address. > In case info.host is a fixe size array, a simple > info.host[sizeof info.host - 1] =3D 0; > would do. >=20 > Am 05.06.2013 15:13, schrieb Don Bailey: >> The first opportunity to write a nil byte should always be taken. Using s= izeof only means that in corner cases memory disclosure may occur between wh= ere the nil should be and the end of the array. While this isn't a security c= ritical app, it is still good coding practice. >>=20 >> x =3D strlen(info.host) < sizeof info.host ? strlen() : sizeof ; >> info.host[x] =3D 0; >>=20 >> D >=20 >=20