security review and patches for libpurple

Ethan Blanton elb at pidgin.im
Sun Jul 17 17:54:49 EDT 2011 

Dan Auerbach spake unto us the following wisdom:
> >I also note a number of changes of the form:
> >
> >  buffer = malloc(some expression);
> >  [...]
> >-strcpy(buffer, source);
> >+g_strlcpy(buffer, source, some expression);
> >
> >This is not substantially superior to the preexisting strcpy.  It may
> >silence some automated tools, but it introduces an additional way in
> >which the code in question can be wrong.  Specifically, the expression
> >which is duplicated in the malloc and strlcpy can diverge with
> >disastrous consequences.  Assuming the expression is correct, the
> >strcpy implementation is more robust than the strlcpy implementation.
> >If the expression is incorrect, all bets are off in both
> >implementations without more contextual information.
> 
> I understand the concern about the expressions diverging. However, I
> think the benefits of following the standard of using strlcpy outweigh
> these concerns. There are two points that I would raise in support:
>
> 1. There are many other ways in which the code might change in which
>    leaving strcpy would actually be worse than strlcpy. For example,
>    code might be copied and pasted such that malloc was no longer
>    invoked before strcpy. So I'd say analysis above that strcpy is
>    more robust is true modulo certain assumptions about how the code
>    may change with time, but that without those assumptions it's not
>    as clear as to which implementation is safer in the long run.

Sure.  I'm not sure, on a whole, the strlcpy is really safer, though,
without more work (see below).

> 2. More generally, there may be situations in which the semantics of
>    an "unsafe" function such as strcpy are more desirable for a number
>    of reasons. But I think it still is good to exercise discipline and
>    stick to safe functions, even if they have locally undesirable
>    effects, for the long-term security and stylistic consistency of
>    the code base.

Maybe.  That depends a *lot* on context.  This is a real disadvantage
of static analysis tools -- the person reading the output has to take
a careful look at what the code actually does.  There are other errors
in the patches which I believe are the result of static analysis
limitations (such as a +1 added to a malloc where it doesn't belong).
I bring this up as a general "gotcha" to keep an eye on, not as
specific criticism.

> That said, there are other ways to change the code that use safe
> functions and also avoid or minimize the concern above, and looking
> into this is certainly worthwhile. For example, there could be a
> wrapper that handles the malloc call and saves the mallocd size
> "some expression" to another variable, used later in strlcpy. Even
> the small step of setting "var = some expression", and then passing
> in var both to malloc and to strlcpy helps to mitigate the concern,
> and should be implemented. That we failed to implement these easy
> mitigation strategies is an error, and in the future we will try to
> be more diligent in making the patches as good as possible.

In quite a few places, I have added a variable to store the results of
the expression.  Things like:

+len = strlen(str) + 1;
-buf = malloc(strlen(str) + 1);
-g_strlcpy(buf, str, strlen(str) + 1);
+buf = malloc(len);
+g_strlcpy(buf, str, len);

In general, this is a much superior solution.  This was actually the
point of my note, not that strlcpy is *inferior* to strcpy.  Bounds
checks with on-the-spot calculated bounds must be used *very*
carefully, whereas bounds which are tied by the compiler to other
manipulations and allocations are much safer.

The real cake is, of course, sizeof() where applicable.  :-)

I have corrected these patterns in the patches where they occurred,
and I have corrected fencepost errors where they occurred.  I've
applied about half of the patches with or without some modification.
Some of the patches have more serious errors or make assumptions I
need to validate before they can be applied.  I hope to send a list of
those patches and my specific concerns "soon".

Thanks for your continued input,
Ethan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20110717/50066038/attachment.pgp>

More information about the security mailing list