[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV bug in LYString.c
From: |
Foteos Macrides |
Subject: |
Re: LYNX-DEV bug in LYString.c |
Date: |
Sun, 03 Aug 1997 20:28:57 -0500 (EST) |
juergen baumann <address@hidden> wrote:
>first: sorry for mailing into this list without having subscribed to it...
>(I haven't got as much time as I need to follow all the possible lists of
> devellopments on which I currently spend a little bit time..)
>
>running system is Linux 2.1.41, lynx 2.7.1 is ompiled with slang.lib.
>
>but this is not relevant at this bug.
>
>any Website can currently crash lynx with a simple FORM-entry.
>
>I've tried a TEXTAREA with a line of more than 1024 characters
>and lynx crashes. maybe other INPUT-fields do the same, but I
>haven't check this out.
>
>the crash is caused by a stack-corruption, inited by the function
>LYSetupEdit() in LYString.c. a strcpy() is used on an array of
>1024 characters without any check of the amount of copied data.
>
>a simple patch prevent this:
[...]
Thanks for the bug report and patch. That vulnerability to
stack manipulation was fixed some time, more elaborately via mods
with appropriate messaging in HTForms.c, and this in HTStrings.c
/*
* We expect the called function to pass us a default (old) value
* with a length that is less than or equal to maxstr, and to
* handle any messaging associated with actions to achieve that
* requirement. However, in case the calling function screwed
* up, we'll check it here, and ensure that no buffer overrun can
* occur by loading only as much of the head as fits. - FM
*/
if (strlen(old) >= maxstr) {
strncpy(edit->buffer, old, maxstr);
edit->buffer[maxstr] = '\0';
StrLen = maxstr;
} else {
strcpy(edit->buffer, old);
}
Fote
=========================================================================
Foteos Macrides Worcester Foundation for Biomedical Research
address@hidden 222 Maple Avenue, Shrewsbury, MA 01545
=========================================================================
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: LYNX-DEV bug in LYString.c,
Foteos Macrides <=