Buffer overflow in inndstart

Forrest J. Cavalier III mibsoft at mibsoftware.com
Tue Sep 7 04:59:08 UTC 1999


> This is just papering over the problem.  The environment population code
> in inndstart is completely wrong.  It shouldn't be using a fixed buffer at
> any stage; it should be allocating the required memory up-front, since it
> can calculate exactly how much memory it will need.


Well, there are two schools of thought....There are times
when you should just do exactly what the user asks, allocate all
the needed space for a string, and move on.  The
problem is that this can lead to DoS attacks pretty
easily, and nothing gets logged.

For fast, efficient, "limitless" strings which
"drop into" existing code without much modification, I
use my open source astring library.  
    http://www.mibsoftware.com/libmib/astring/

The inndstart code would have been a very easy rewrite:
    char *buff = 0;
    astrcpy(&buff,"BIND_INADDR=");
    astrcat(&buff,p);

The *BSDs have an asprintf() you might want to look at
as well.

---------------------------------------------------------

The other school of thought says, "Hmmm, a 9000 character
time zone.  Sounds odd.  Let's log it and exit."  That's
what I suggested in this particular case.

---------------------------------------------------------

BTW, if funding could be secured, I'd be able to rewrite
ALL of the string handling code in INN to use astrings instead
of the clumsy methods now.  This is something I've wanted
to do since the 1997 buffer overflow reports, but it is not
a spare time project.

Be quiet, Marc.  :-)
---------------------------------------------------------

Forrest


More information about the inn-workers mailing list