Dangerous strcpy
Vladimir G. Ivanovic
vgivanovic at comcast.net
Thu Jun 22 00:46:04 EDT 2006
On Wed, 2006-06-21 at 21:44 -0600, Jerry James wrote:
> I wrote:
> > I tried out a "security checker" today that supposedly looks for
> > security-related properties of code. It mostly produced nonsense, but
> > it did find this: in sound.c, line 645, we do a strcpy. We are copying
> > into a stack buffer of fixed size (255 bytes). We are copying from
> > h->h_name, where h is a struct hostent * returned by gethostbyname().
> > Do we actually know that h->h_name must be 254 (+ 1 null terminator)
> > characters long or less? I don't see anything on the gethostbyname man
> > page that so indicates.
>
> Vladimir Ivanovic wrote to tell me that he sees various definitions of
> MAXHOSTNAMELEN, including 32, 64, and 255. He also pointed out that
> POSIX defines a bound. According to the current POSIX spec, platforms
> may define a constant named HOST_NAME_MAX in <limits.h> that gives the
> length of the largest string that gethostbyname() will return. It also
> states that they may fail to define that constant, in which case you
> have to use sysconf() to find the right value. If HOST_NAME_MAX is
> defined, then it must be no smaller than 255.
>
> The upshot is that overrunning the buffer is unlikely, but possible,
> since some systems may support host names of length > 255. Well, 254,
> with the code in its present state.
>
> Thanks Vladimir!
It's been a long time since I've used sysconf().... but that's probably
the way to go.
--- Vladimir
P.S. I was going to comment that it's unlikely but possible for the host
name length (is that the entire hostname+domainname or just the
hostname-domainname?) to be more than 255 characters in length. Looks
like the perfect use for an assert()!
--
Vladimir G. Ivanovic <vgivanovic at comcast.net>
More information about the XEmacs-Beta
mailing list
