Re: Another Netscape Bug (and possible security hole)
At 07:33 1995.09.22 GMT, Jeff Weinstein wrote:
In article <199509220612.CAA11441@clark.net>, rjc@clark.net (Ray Cromwell) writes:
I've found a Netscape bug which I suspect is a buffer overflow and may have the potential for serious damage. If it is an overflow bug, then it may be possible to infect every computer which accesses a web page with Netscape. To see the bug, create an html file containing the following:
Thanks for the report. I will make sure that this is fixed.
--Jeff
Don't just look at this bug, though... check ALL your static buffers and include code to check for overflow writes. For example, if Netscape is written in C or C++ and the above code uses strcpy(), you could change strcpy() to strncpy() everywhere (and then set the last char to null in case strncpy() didn't). Your programmers will know what I mean. Herb ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Herb Sutter 2228 Urwin, Suite 102 voice (416) 618-0184 Connected Object Solutions Oakville ON Canada L6L 2T2 fax (905) 847-6019
On Fri, 22 Sep 1995 09:47:35 -0400, herbs@interlog.com (Herb Sutter) wrote:
Don't just look at this bug, though... check ALL your static buffers and include code to check for overflow writes. For example, if Netscape is written in C or C++ and the above code uses strcpy(), you could change strcpy() to strncpy() everywhere (and then set the last char to null in case strncpy() didn't). Your programmers will know what I mean.
Better yet, ban both strncpy and strncat. Replace them with differently-named routines (strbcpy and strbcat?) that, given a buffer length, are GUARANTEED to always give you a properly terminated string that (including the terminator) does not overflow the specified buffer. Even better, use a good string class that does all this automatically all the time.
participants (3)
-
herbs@interlog.com -
lull@acm.org -
Michael Elkins