From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ryan Anderson Date: Mon, 28 Mar 2005 15:03:35 +0000 Subject: Re: [KJ] critical bug in strncpy() Message-Id: <20050328150335.GO11081@ryan2> MIME-Version: 1 Content-Type: multipart/mixed; boundary="===============43084209737380841==" List-Id: References: <200503281155.16199.vicente.feito@gmail.com> In-Reply-To: <200503281155.16199.vicente.feito@gmail.com> To: kernel-janitors@vger.kernel.org --===============43084209737380841== Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: 8bit On Mon, Mar 28, 2005 at 04:34:16PM +0200, walter harms wrote: > hi all, > The kernel version of strcpy() is buggy. it copies ALWAYS n bytes. > since i have NO idea if this is exploidable somehow, i would still > recomend to REMOVE the code. See example below if you do not believe me. > Also below you find a sniplet from libString/Strncpy.c. The kernel version prevents information leakage by overwriting the rest of the buffer with 0 after finishing the actual copy. I'm fairly certain the behavior was intendend. > i did not provide a patch since this is NOT my code. (btw: changed the > name from Strncopy to strncpy). C&P this in to the kernel/lib/string.c. > > > re, > walter > > > /* in case this is needed */ > Signed-off-by: walter harms > > > > /* linux kernel */ > char * K_strncpy(char * dest,const char *src,size_t count) > { > char *tmp = dest; > > while (count) { > if ((*tmp = *src) != 0) src++; <-MISSING case == 0 > > tmp++; > count--; > } > printf("count=%d\n",count); > return dest; > } > > int main() > { > char *src="15" ; > char dst[]="123"; > > K_strncpy(dst,src,500); > > } > > > i looked a bit around and found these nice version. > > > /* > * libString, Copyright (C) 1999 Patrick Alken > * This library comes with absolutely NO WARRANTY > * > * Should you choose to use and/or modify this source code, please > * do so under the terms of the GNU General Public License under which > * this library is distributed. > * > * $Id: Strncpy.c,v 1.1.1.1 2000/10/02 12:02:27 decho Exp $ > */ > > #include > > /* > Strncpy() > Optimized version of strncpy(). > > Inputs: dest - destination string > source - source string > bytes - number of bytes to copy > > NOTE: A terminating \0 character is only copied to 'dest' if > 'source' is terminated by one, provided the limit 'bytes' > has not yet been reached. > > Return: destination string > */ > > char * > strncpy(char *dest, const char *source, const size_t bytes) > > { > register char *end = dest + bytes; > register char *s = dest; > > while ((s < end) && (*s++ = *source++)) > ; > > return (dest); > } /* Strncpy() */ > > > _______________________________________________ > Kernel-janitors mailing list > Kernel-janitors@lists.osdl.org > http://lists.osdl.org/mailman/listinfo/kernel-janitors -- Ryan Anderson AutoWeb Communications, Inc. email: ryan@autoweb.net --===============43084209737380841== Content-Type: text/plain; charset="iso-8859-1" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline _______________________________________________ Kernel-janitors mailing list Kernel-janitors@lists.osdl.org http://lists.osdl.org/mailman/listinfo/kernel-janitors --===============43084209737380841==--