Mmhh... I don't think so. If boinc is running with more privileges than the "public" user, this user just have to set an environment variable large enough and add shellcode at the end to escalate privileges.
I know we always must use size-checking functions, but getenv() is particularly thorny, so it should be replaced first. Le 18/10/2012 01:12, David Anderson a écrit : > Thanks; I checked in some of these > (it took a while because I was on vacation). > Notes: > > - For now, we're not generally using size-checking functions > like snprintf() and strlcpy(). > - For now, we're not checking for malloc() failing. > > In both cases: if we're going to add these checks, > we'd need to do it everywhere. > There's not point in doing it in just a few places. > Doing it everywhere is a large code change, > not currently justified by reported problems. > > -- David > > On 17-Oct-2012 5:08 AM, rustyBSD wrote: >> > Hi, >> > here are little patches. >> > >> > == async_start.cpp.diff & switcher.cpp.diff == >> > getenv()ed pointers are copied to fixed-size char, >> > so itoverflows if pointer's lenght > char. >> > >> > == filesys.cpp.diff == >> > Idem, and some trivial simplifications... >> > >> > == async_file.cpp.diff == >> > fread() and fwrite() are size_t, and never return < 0. >> > >> > == atiopencl.cpp.diff == >> > This fopen() is never closed. _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address.
