Menu
▾
▴
Re: [Opengrads-devel] Buffer overflow vulnerability in GrADS
|
From: Jennifer A. <jm...@co...> - 2009-10-26 20:43:48
|
Hi, Arlindo -- This is definitely worth fixing, but I think it will be simpler and faster to replace sprintf() with snprintf() rather than re-implement the message handling in GrADS. I'll put this on my list for the next release. I don't think it represents a security threat with the GDS. --Jennifer On Oct 26, 2009, at 11:33 AM, Arlindo da Silva wrote: > Brian, Jennifer et al, > > As we all know, GrADS makes extensive use of the sprintf() > function which is known to have the so-called buffer overflow > vulnerability as explained in this document: > http://developer.apple.com/mac/library/documentation/Security/Conceptual/SecureCodingGuide/Articles/BufferOverflows.html#/ > /apple_ref/doc/uid/TP40002577 > > A good precaution would be to replace all occurrences of sprintf() > with snprintf(), making sure the resulting string is NULL > terminated. Since many occurrences of sprintf() are associated with > gaprnt(), it might be convenient to use the stdarg.h feature in the > C standard library > > http://en.wikipedia.org/wiki/Stdarg.h > > and have a new function > > gaprntf(int level, const char *format, ...) > > which has the combined effect of sprintf() + gaprnt(). > > What do you think? I need to address this vulnerability before > being able to deploy grads server side. I am willing to help > implement this change in the main grads codebase. > > Thanks, > > Arlindo > > > -- > Arlindo da Silva > da...@al... > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart > your > developing skills, take BlackBerry mobile applications to market and > stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference_______________________________________________ > Opengrads-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opengrads-devel -- Jennifer M. Adams IGES/COLA 4041 Powder Mill Road, Suite 302 Calverton, MD 20705 jm...@co... |
