bug-hurd
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug #28446] No checks are made for unteminated strings in RPC messa

From: Carl Fredrik Hammar
Subject: Re: [bug #28446] No checks are made for unteminated strings in RPC messages
Date: Fri, 1 Jan 2010 22:36:35 +0100
User-agent: Mutt/1.5.20 (2009-06-14) 
Hi,

On Thu, Dec 31, 2009 at 04:12:21AM +0100, olafBuddenhagen@gmx.net wrote:
> On Wed, Dec 30, 2009 at 07:42:21PM +0000, Carl Fredrik Hammar wrote:
> 
> > Strings in RPCs, such as the filename argument to a dir_lookup, are
> > not checked if they are terminated by '\0'.  This could lead to the
> > server segfaulting if it tries to read the string.
> > 
> > Making MIG check that strings are terminated seems like the proper
> > fix.
> 
> AIUI, the first step would be implementing actual string support in MiG
> at all...

MIG seems to already have some awareness of strings, atleast the client
part uses a variant of strncpy() to copy the string into the message.
So it should be possible to generate code specifically for strings in
the server part as well.

> While this should probably be considered a todo item, in the present
> situation, if a server doesn't protect against non-terminated strings,
> it's a bug *in this server*. If you see any actual instances of this,
> could you report them?...

It is hard to be certain that a translator isn't vounerable unless it
has an explicit check, which I expect no translator currently have.
For instance, I extfs returns ENAMETOOLONG because it I tested with a
single component path, but it might be possible to get it to read past
the end using many components, e.g. `././././....', though I suspect
this will return ELOOP.

Fixing MIG seems much easier and safer.

Regards,
  Fredrik
reply via email to
[Prev in Thread] Current Thread [Next in Thread]