Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <54705A39.6020000@debian.org>
Date: Sat, 22 Nov 2014 09:41:13 +0000
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Off-by-one question

On 22/11/14 06:28, Joshua Roers wrote:
> I'm just wondering, is it possible to use strncpy to overwrite memory
> addresses?

It is possible to use anything that writes through a pointer to
overwrite memory addresses, if you use it incorrectly.

>> char buf[4];
>> strncpy(buf, "Four", sizeof(buf));

buf = { 'F', 'o', 'u', 'r' }

There is no write overflow into the next thing on the stack after buf,
unless I'm missing something important, because "The strncpy() function
shall copy not more than n bytes" (strncpy(3posix), derived from
POSIX.1-2001).

However, buf is not 0-terminated yet, so printf("%s\n", buf) at this
point would output arbitrary memory contents from buf until the next 0
byte - a read overflow.

>> buf[sizeof(buf)-1] = '\0';

buf = { 'F', 'o', 'u', '\0' }

>> printf("%s\n", buf);

outputs "Fou" with no read or write overflow

> will strncpy write beyond the memory of 'buf', and set it to NUL?

"If there is no null byte in the first n bytes of the array pointed to
by s2, the result is not null-terminated." -strncpy(3posix) again

> From my understanding from
> http://cwe.mitre.org/data/definitions/193.html, it would.

I think the statement "the strncpy will add a null terminator to each
character array" in Example 2 is incorrect, unless there is an
implementation of strncpy() on some platform with behaviour other than
what POSIX says (I haven't checked the original specification of
strncpy(), which is ISO C).

However, "if the character arrays are output to the user through the
printf method the memory addresses at the overflow location may be
output to the user" is correct.

In Example 3, unlike Example 2, I think there is really a memory write
vulnerability: "The code does not account for the null character that is
added by the second strncat function call". strncat() is not like
strncpy(): it can write at most n+1 bytes.

The devil is in the details with this stuff. Prefer to use your
favourite runtime library's automatically-sized-string-buffer class
instead of ISO C string manipulation where possible.

    S

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.