In the recurrent tedious discussions here of relaxing the 100-character
PARM length limit, the objection has been raised that this could
subject authorized programs to the hazard of buffer overruns and
the proverbial "early termination, execution of arbitrary code, or
escalation of privileges".
However, lately in:
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/bpxzb1c0/2.30
Title: z/OS V1R13.0 UNIX System Services Programming: Assembler Callable
Services Reference
Document Number: SA22-7803-14
I stumbled upon:
2.30 execmvs (BPX1EXM, BPX4EXM) -- Run an MVS program
| ... The argument can be from 0 to 4096
| bytes long except for unauthorized callers calling authorized
| programs. For unauthorized callers calling authorized programs, the
| argument can be from 0 to 100 bytes long. If you want to allow an
| unauthorized caller to pass an argument greater than 100 bytes to a
| program, a BPX.EXECMVSAPF.program_name FACILITY class profile
| needs to be defined for that program.
(Note revision bars. Plus a few Google hits; IBMLink tells me nothing.)
So in a closely related context, IBM has recognized the hazard and
provided a solution. I assume batch initiators could employ a siimilar
technique, perhaps even the same FACILITY class, so buffer overrun
need no longer be considered an obstacle to longer PARMs.
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
