[lug] Security notice and Ramen

D. Stimits stimits at idcomm.com
Tue Jan 23 17:03:28 MST 2001


Sean Reifschneider wrote:
> 
> On Tue, Jan 23, 2001 at 03:20:00PM -0700, D. Stimits wrote:
> >A big part of making buffer overflow popular is because of functions
> >that expect a NULL-terminated string (i.e., sprintf/sscanf and friends
> 
> I'd really love to see some network services written in Python or Perl.
> You have to be careful to prevent somone from sending a huge string
> without a newline, thus using as much RAM as possible, but it shouldn't
> be possible to do any buffer overflow attacks.

A similar scenario for some of the C++ STL containers. I could imagine
someone trying to buffer overflow a std::string for someone with a 56k
modem. They'd be sending one string for all day and night, wondering why
it wasn't overflowing yet.

> 
> DJB wrote a whole slew of dynamic string handing code as part of QMail...
> 
> Sean
> --
>  Thieves broke into Scotland Yard yesterday and stole all the toilets.
>  Detectives say they have nothing to go on.
> Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
> tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug




More information about the LUG mailing list