Hacker News new | ask | show | jobs
by floating-io 331 days ago
Assuming that code is actually present in your app, env vars can hold more than 255 characters. Easy buffer overflow to trigger. Use length-bounded copies and concats...

That's just off the top of my head; I've not written in C in a while.
1 comments
h2337 331 days ago
Why would you want to trigger a buffer overflow in user application if you can already control HOME envvar?
link
floating-io 331 days ago
Yeah, that is not a helpful attitude to take when it comes to this sort of thing. If nothing else, a super-long home path can crash your app and leave your user scratching their head. In other words, this is a bug (as is the fact that paths are not necessarily limited to 255 characters in the first place; see the PATH_MAX constant, I think it is?).

As to what could be accomplished with an overflow? I don't know; I'm not in security, and I don't sit around thinking of possible uses for various bugs when it comes to compromising systems.

Perhaps the most important thing to realize, though, is that you're distributing software publicly. Your security situation may not be the same as your user's security situation. Assumptions should not be made.

Something to keep in mind.

link
h2337 331 days ago
Thanks for the discussion. Fix is already committed.
link
db48x 331 days ago
As long as you’re fixing that bug, you should do it right. If the return value from snprintf if more than 256 but less than a few GB then you should malloc a buffer big enough to hold the string and then call snprintf again with the new buffer. Only if that or malloc fails would you print an error. (It’s really a shame that the C standard library requires so many extra steps to do things correctly; this ought to be way easier.)
link
floating-io 331 days ago
Not sure offhand how portable it is, but asprintf() handles automatic buffer allocation, thus not requiring any extra steps afaik.

It does exit on MacOS and Linux, at the very least.

link
db48x 331 days ago
Those are so unportable that I’d completely forgotten about them :)

But my man pages say that they exist on BSD in addition to GNU, so that’s pretty good these days. I say go for it.

link
floating-io 331 days ago
No problem. =)
link