Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: CPSN 4-970424: Possible buffer overflow in pop3d
From: achurch () DRAGONFIRE NET (Andy Church)
Date: Mon, 28 Apr 1997 11:23:54 EDT


       FUNCTION: svr_auth(state,inbuf), has the "offending" line:
                       strcpy(cli_user,inbuf);
       BUT:  svr_auth is called from MAIN with:
                       svr_state = svr_auth(svr_state,cli_buf);
       where cli_buf is read previously from stdin with:
                       if (fgetl(cli_buf,CLI_BUFSIZ,stdin) == NULL)

Now this machine doesn't have a manpage for "fgetl"

     It's a custom routine (see util.c) which reads a line of text from a
file and discards all but the first `len'-1 bytes (CLI_BUFSIZ-1 in this
case).

but, from the arguments, it looks like it will check the length...

     Indeed it will; therefore, _the strcpy() is safe_.  However, as a
general rule, I always comment strcpy() or similar calls with an
explanation of why the call is safe in order to prevent confusion such as
this.

     This just goes to show that strcpy() isn't _always_ a security hole...

  --Andy Church                  | If Bell Atlantic really is the heart
    achurch () dragonfire net       | of communication, then it desperately
    www.dragonfire.net/~achurch/ | needs a quadruple bypass.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault