On Tue, 26 Jun 2007, Kenneth Van Wyk wrote:

> Mind you, the overrun can only be exploited when specific characters
> are used as input to the loop in the code.  Thus, I'm inclined to
> think that this is an interesting example of a bug that would have
> been extraordinarily difficult to find using black box testing, even
> fuzzing.

I would assume that "smart" fuzzing could have lots of manipulations of
the HH:mm:ss.f format (the intended format mentioned in the advisory), so
this might be findable using black box testing, although I don't know how
many fuzzers actually know how to muck with time strings.  Because the
programmer told flawfinder to ignore the strncpy() that it had flagged, it
also shows a limitation of manual testing.

In CVE anyway, I've seen a number of overflows involving strncpy, and
they're not all off-by-one errors.  They're hard to enumerate because we
don't usually track which function was used, but here are some:

CVE-2007-2489 - negative length

CVE-2006-4431 - empty input causes crash involving strncpy

CVE-2006-0720 - "incorrect" strncpy call

CVE-2004-0500 - another bad strncpy

CVE-2003-0465 - interesting API interaction

- Steve
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to