Re: _Initial_ security audit result: ORBit

From: Chris Evans <chris ferret lmh ox ac uk>
To: Elliot Lee <sopwith redhat com>
cc: security-audit ferret lmh ox ac uk, gnome-list gnome org
Subject: Re: _Initial_ security audit result: ORBit
Date: Tue, 23 Feb 1999 23:21:30 +0000 (GMT)

On Tue, 23 Feb 1999, Elliot Lee wrote:

> On Tue, 23 Feb 1999, Chris Evans wrote:
> 
> I could blame ANSI C for not automatically truncating these assignments,
> yadda yadda yadda, but I won't...

Is there a switch to warn for every signed->unsigned cast, implicit or
explicit?

> >         if(!connection->is_auth
> >            && message_size > 131072) {

To revisit this piece of code - is this to ensure we don't allocate huge
amounts of memory in response to a malicious network request?

If so, I have a minor gripe in giop-msg-buffer.c,
giop_recv_request_decode_message(). We g_new(x) where x is a value taken
straight out of the "from the network" data. x is not checked for a
sensible value. I suspect there are other occurences of this in the same
file.

> It seems calling malloc(-2) (aka malloc(4294967294)) returns a pointer
> into the heap. malloc_usable_size(malloc(N)) returns 12 for any INT_MIN <=
> N < 0. I'm wondering if there is possibly a bug in malloc somewhere...?

Hmm. Maybe malloc(-ve number) returns a pointer to the last allocation?
That's the only thing that makes sense aside from your bug theory.

Cheers
Chris

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]