[vdr] Re: BUG: vdr-streamdev

To: vdr@linuxtv.org
Subject: [vdr] Re: BUG: vdr-streamdev
From: Josef Wolf <jw@raven.inka.de>
Date: Wed, 10 Nov 2004 21:35:44 +0100
Content-disposition: inline
Content-type: text/plain; charset=us-ascii
In-reply-to: <20041110074420.9EB414188A@nathan.muc.de>
List-help: <mailto:ecartis@linuxtv.org?subject=help>
List-id: vdr <vdr.mail>
List-owner: <mailto:listmaster@convergence.de>
List-post: <mailto:vdr@linuxtv.org>
List-software: Ecartis version 1.0.0
List-subscribe: <mailto:ecartis@linuxtv.org?subject=subscribe%20vdr>
List-unsubscribe: <mailto:ecartis@linuxtv.org?subject=unsubscribe%20vdr>
References: <20041104111746.47CD040ADE@nathan.muc.de> <20041109222109.GB26244@raven.inka.de> <20041110074420.9EB414188A@nathan.muc.de>
Reply-to: vdr@linuxtv.org
Sender: vdr-bounce@linuxtv.org
User-agent: Mutt/1.4.1i

On Wed, Nov 10, 2004 at 08:44:20AM +0100, hm@seneca.muc.de wrote:
> Josef Wolf <jw@raven.inka.de> wrote:
> > On Thu, Nov 04, 2004 at 12:17:46PM +0100, hm@seneca.muc.de wrote:
> 
>>> if (strncasecmp (String, channel->Name(), strlen (channel->Name())) == 0) 
> 
>> Is it by intention that you use strncasecmp() instead of strcasecmp()?
>> Even when you favour strncasecmp() then the length should be evaluated
>> from String:
> 
>>  if (strncasecmp (String, channel->Name(), strlen (String)) == 0) 
> 
>> This way the first matching channel will be taken.
> 
> Yes but for security reasons I want to use the length of the string in
> channels.conf. "String" is taken verbatim from the data the user sends, and
> I don't want the user to be able to create buffer overflow side effects. 

Ough!  I can't see how to create a buffer overflow with strcmp() as long
as channel->Name() is terminated properly.  Assuming strlen(a)>strlen(b),
strncasecmp(a,b,strlen(a)) will stop comparing at the same position
at which strcasecmp(a,b) would stop: the '\0' that terminates b.

Thus, as long as channel->Name() is terminated properly, the user has no
way to create a buffer overflow. OTOH, when channel->Name() is _not_
terminated properly, then passing it to strlen() will blow up.  Using
strncasecmp() in the above example don't buy you anything as far as buffer
overflows are concerned.

> In general, you never want to use strcmp or strcasecmp, there were
> too many buffer overflow exploits (as for strcpy etc.). Always use "n"
> and proper buffer checking, e.g.  with malloc().

strcpy/strcat/malloc are a different story.  Don't confuse them with
str[n]cmp.

-- 
Please visit and sign and http://www.ffii.org
-- Josef Wolf -- jw@raven.inka.de --

Follow-Ups:
- [vdr] Re: BUG: vdr-streamdev
  - From: hm@seneca.muc.de

References:
- [vdr] BUG: vdr-streamdev
  - From: hm@seneca.muc.de
- [vdr] Re: BUG: vdr-streamdev
  - From: Josef Wolf <jw@raven.inka.de>

Prev by Date: [vdr] R: Re: set channel via plugin
Next by Date: [vdr] Re: Suggestion: new SVDRP command to cut a recording
Previous by thread: [vdr] Re: BUG: vdr-streamdev
Next by thread: [vdr] Re: BUG: vdr-streamdev
Index(es):
- Date
- Thread

Home | Main Index | Thread Index