Implications of recent virus (Trojan Horse) attack
jb at cs.brown.edu
jb at cs.brown.edu
Fri Nov 18 22:16:02 AEST 1988
There are a couple other points where problems similar to gets()
overflowing its buffer might arise. Normal usage of scanf() and
fscanf() can lead to the same problem if trying to read a string
in from someplace. It is easy to specify the buffer size in the
format, but I have rarely seen this done.
For setuid programs, curses leaves this same type of hole open
with several of its input routines. There are routines like both
gets() and scanf().
The issue of strcpy() and sprintf() can be worked around, but read
code that uses them and you will find that most programmers do not
put all the careful checks to make sure that the buffer is not over
run. Maybe a good reminder of this problem is needed to get people
to clean up.
Jim Bloom
Brown University
jb at cs.brown.edu
uunet!brunix!jb
More information about the Comp.unix.wizards
mailing list