On Tue, 26 Jun 2007, Kenneth Van Wyk wrote: > Mind you, the overrun can only be exploited when specific characters > are used as input to the loop in the code. Thus, I'm inclined to > think that this is an interesting example of a bug that would have > been extraordinarily difficult to find using black box testing, even > fuzzing.
I would assume that "smart" fuzzing could have lots of manipulations of the HH:mm:ss.f format (the intended format mentioned in the advisory), so this might be findable using black box testing, although I don't know how many fuzzers actually know how to muck with time strings. Because the programmer told flawfinder to ignore the strncpy() that it had flagged, it also shows a limitation of manual testing. In CVE anyway, I've seen a number of overflows involving strncpy, and they're not all off-by-one errors. They're hard to enumerate because we don't usually track which function was used, but here are some: CVE-2007-2489 - negative length CVE-2006-4431 - empty input causes crash involving strncpy CVE-2006-0720 - "incorrect" strncpy call CVE-2004-0500 - another bad strncpy CVE-2003-0465 - interesting API interaction - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
