Dangerous strcpy
Jerry James
james at xemacs.org
Wed Jun 21 23:44:21 EDT 2006
I wrote:
> I tried out a "security checker" today that supposedly looks for
> security-related properties of code. It mostly produced nonsense, but
> it did find this: in sound.c, line 645, we do a strcpy. We are copying
> into a stack buffer of fixed size (255 bytes). We are copying from
> h->h_name, where h is a struct hostent * returned by gethostbyname().
> Do we actually know that h->h_name must be 254 (+ 1 null terminator)
> characters long or less? I don't see anything on the gethostbyname man
> page that so indicates.
Vladimir Ivanovic wrote to tell me that he sees various definitions of
MAXHOSTNAMELEN, including 32, 64, and 255. He also pointed out that
POSIX defines a bound. According to the current POSIX spec, platforms
may define a constant named HOST_NAME_MAX in <limits.h> that gives the
length of the largest string that gethostbyname() will return. It also
states that they may fail to define that constant, in which case you
have to use sysconf() to find the right value. If HOST_NAME_MAX is
defined, then it must be no smaller than 255.
The upshot is that overrunning the buffer is unlikely, but possible,
since some systems may support host names of length > 255. Well, 254,
with the code in its present state.
Thanks Vladimir!
--
Jerry James, Assistant Professor james at xemacs.org
Computer Science Department http://www.cs.usu.edu/~jerry/
Utah State University
More information about the XEmacs-Beta
mailing list
