Coding the DJB way?

Discussion in 'C Programming' started by Jan Richter, Aug 16, 2005.

  1. Jan Richter

    Jan Richter Guest

    Hi there,

    in the document available at http://cr.yp.to/2004-494/0825.pdf
    DJB says that a construct like:

    while (*tz != '\0')
    *q++ = *tz++;

    would make it possible to take over the machine by a local user.
    What does he mean exactly with his statement? Can anyone shed
    some light on that? I don't really understand this. Is there a resource
    that explains a bit more the coding style DJB used? I have had a
    look at his API and his internal helper functions used in his software,
    and I'd like to understand them more than I do now.

    Cheers,
    JR
     
    Jan Richter, Aug 16, 2005
    #1
    1. Advertising

  2. Jan Richter wrote:
    > Hi there,
    >
    > in the document available at http://cr.yp.to/2004-494/0825.pdf
    > DJB says that a construct like:
    >
    > while (*tz != '\0')
    > *q++ = *tz++;
    >
    > would make it possible to take over the machine by a local user.
    > What does he mean exactly with his statement? Can anyone shed
    > some light on that? I don't really understand this.


    Read the *entire* document, not just the first few pages. The rest of
    them are about stacks, and the (in)famous buffer over/underflow, where
    this is all about.

    > Is there a resource
    > that explains a bit more the coding style DJB used? I have had a
    > look at his API and his internal helper functions used in his software,
    > and I'd like to understand them more than I do now.


    It's usually about 1 think : Don't trust input you don't generate, and
    make sure a function does what it is suppose to. For example : Don't
    assume that a char * is NULL terminated, use strlcpy() to make sure the
    result always is, no matter what the input is.


    Igmar
     
    Igmar Palsenberg, Aug 16, 2005
    #2
    1. Advertising

  3. Jan Richter

    Richard Bos Guest

    "Jan Richter" <> wrote:

    > in the document available at http://cr.yp.to/2004-494/0825.pdf
    > DJB says that a construct like:
    >
    > while (*tz != '\0')
    > *q++ = *tz++;
    >
    > would make it possible to take over the machine by a local user.
    > What does he mean exactly with his statement?


    Nothing, AFAICT. That is, he promises that it will be explained later
    on, but it isn't. There's just some (inaccurate and highly system-
    dependent) platitudes about stacks.

    > Can anyone shed some light on that? I don't really understand this.


    You needn't. Without a lot more context, his statement is meaningless.

    Yes, it _is_ possible to write a program which, as a whole, is so broken
    that it would allow "a local user" to "take over the machine", for some,
    again highly system-dependent, meaning of those phrases. But if you do,
    the error is not just in the lines as he quotes them. It is also quite
    possible to write a correct program, with no security hole, in which
    such lines occur.

    (That said, it is a silly bit of code, since we have strcpy().)

    Richard
     
    Richard Bos, Aug 16, 2005
    #3
  4. Jan Richter

    akarl Guest

    Jan Richter wrote:
    > Hi there,
    >
    > in the document available at http://cr.yp.to/2004-494/0825.pdf
    > DJB says that a construct like:
    >
    > while (*tz != '\0')
    > *q++ = *tz++;
    >
    > would make it possible to take over the machine by a local user.
    > What does he mean exactly with his statement? Can anyone shed
    > some light on that? I don't really understand this. Is there a resource
    > that explains a bit more the coding style DJB used? I have had a
    > look at his API and his internal helper functions used in his software,
    > and I'd like to understand them more than I do now.


    The control statement above is semantically equivalent to

    while (*tz != '\0') {
    *q = *tz;
    tz++;
    q++;
    }

    which has the same effect as

    i = 0;
    while (tz != '\0') {
    q = tz;
    i++;
    }

    Note that the string copied to q is not terminated by '\0'.


    August
     
    akarl, Aug 16, 2005
    #4
  5. Jan Richter

    rob mayoff Guest

    Jan Richter wrote:
    > in the document available at http://cr.yp.to/2004-494/0825.pdf
    > DJB says that a construct like:
    >
    > while (*tz != '\0')
    > *q++ = *tz++;
    >
    > would make it possible to take over the machine by a local user.


    Not exactly. He's saying that such code did make it possible in one
    particular instance. He quoted the code exactly and paraphrased the
    release note (which says that it's a local root vulnerability). You
    can find the faulty code, the fixed code, and the release note in this
    file:

    http://www.sendmail.org/ftp/past-releases/sendmail.8.7.6.patch
     
    rob mayoff, Aug 19, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. calmar
    Replies:
    11
    Views:
    961
    calmar
    Feb 21, 2006
  2. DJB hash function

    , May 20, 2005, in forum: C Programming
    Replies:
    1
    Views:
    1,724
    Mark F. Haigh
    May 20, 2005
  3. Coding the old way!

    , May 16, 2007, in forum: ASP .Net
    Replies:
    3
    Views:
    322
    Kevin Spencer
    May 16, 2007
  4. dorayme
    Replies:
    0
    Views:
    427
    dorayme
    Dec 27, 2010
  5. Singapore Computer Service

    Re: Best way to clean html coding

    Singapore Computer Service, Dec 27, 2010, in forum: HTML
    Replies:
    0
    Views:
    444
    Singapore Computer Service
    Dec 27, 2010
Loading...

Share This Page