security review and patches for libpurple
Dan Auerbach
dtauerbach at eff.org
Wed Aug 17 17:12:16 EDT 2011
On 08/11/2011 09:25 PM, Paul Aurich wrote:
> And Ethan Blanton spoke on 08/11/2011 08:19 AM, saying:
>> * zephyr-protectoverflow.diff
>>
>> This may be OK, but I don't like it. At the very least, it needs to
>> reference G_MAXULONG or something of the sort.
> * Intermingling g_* and libc allocation functions is a no-no (it breaks
> on Win32, where glib doesn't use the underlying allocator -- annoying, but
> such is life)
> * Exiting when a read fails seems icky. Then again, this is Zephyr and
> it's right after a select()
>
> I'm assuming the special value (2^27) comes from being "big enough that
> nobody would reasonably expect to allocate/read that much memory". Is that
> correct? I'm a bit uneasy about this (and assuming that's what Ethan was
> uneasy about), but I also think it's accurate that nobody would try to
> legitimately need that big of a buffer in either of these functions.
> Famous last words.
That's correct. The general philosophy is to bound all of these
allocations---I'm certainly not married to 2^27, nor to keeping this
constant here, nor to exiting when a read fails. But I think the idea of
bounding allocations is a good one; I'll respond to Mark's email about
this, and the patch below.
>> * util-strdup.diff
>>
>> This has the same problem as the Zephyr overflow protection patch.
> If the string is large enough, it seems to me like 'i' would wrap around to
> 0 (I'd need to reason a bit more about this to convince myself the app
> wouldn't die first) and spin in a loop.
>
> I'm also trying to think of a way to avoid the extra strlen() -- does
> checking if destsize< i work (destsize starts at 1)?
>
> ~Paul
>
More information about the security
mailing list