[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev (forw) Possible buffer overflows in Lynx?

From: Klaus Weide
Subject: Re: lynx-dev (forw) Possible buffer overflows in Lynx?
Date: Tue, 29 Feb 2000 14:25:48 -0600 (CST)

> > > > Fixed lenght buffers are still used in various places, without checking 
> > > >  
> > > > always for overruns.  One place is HTTP.c, with things like  
> > > >   sprintf(line, "Host: %s%c%c", host, CR,LF);  
On Tue, 29 Feb 100, T.E.Dickey wrote:
> this one's simple to fix (with a .* in the format).  I don't know why we
> overlooked this module before (the files under src are a lot more work to
> go through).

I am also suspicious about some protocols under WWW (like finger,
WAIS, ...).  Not that I have anything concrete, just because they are
rarely used they could easily slip by attention.

> > Other unchecked calls in HTTP.c involving 'line' (see 'language', 
> > 'pref_charset') are less dangerous, since the information can come 
> > only from lynx.cfg or .lynxrc or the Options screen (you get what you 
> > deserve) not from any old Web page. 
> >  
> > I suggest to just skip sending those headers if the contents would be too 
> > long, rather than using malloc'ed strings everywhere.  It seems wasteful 
> ...and rather than truncate them?

In this case, yes - truncating may make something valid-but-wrong out of
something invalid.  If it's garbage, just drop it; and why burden a proxy
with processing multiple garbage headers instead of just a garbage URL.
Not that it's very important.

> > > PATH_MAX is technically a minimum - the system declares that it can 
> > > support 
> > > pathnames at least that long. 
> >  
> > But should we use it? 
> it's better than nothing (at least it highlights places in the code that
> assume they're big enough to hold a pathname).

One downside is that it wastes more memory space for those buffers.
Another is that it may just further hide a problem (M. Zalewski needs
to use 'A' x 8000 instead of 'A' x 1024, or something...)

Maybe one should test what happens with an artificially small LY_MAXPATH,
like 20 or 30, and then do some browsing.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]