Coding the DJB way?

Jan Richter wrote:

Hi there,

in the document available at http://cr.yp.to/2004-494/0825.pdf
DJB says that a construct like:

while (*tz != '\0')
*q++ = *tz++;

would make it possible to take over the machine by a local user.
What does he mean exactly with his statement? Can anyone shed
some light on that? I don't really understand this.
Read the *entire* document, not just the first few pages. The rest of
them are about stacks, and the (in)famous buffer over/underflow, where
this is all about.
Is there a resource
that explains a bit more the coding style DJB used? I have had a
look at his API and his internal helper functions used in his software,
and I'd like to understand them more than I do now.

It's usually about 1 think : Don't trust input you don't generate, and
make sure a function does what it is suppose to. For example : Don't
assume that a char * is NULL terminated, use strlcpy() to make sure the
result always is, no matter what the input is.
Igmar

"Jan Richter" <vi**********@yahoo.de> wrote:

in the document available at http://cr.yp.to/2004-494/0825.pdf
DJB says that a construct like:

while (*tz != '\0')
*q++ = *tz++;

would make it possible to take over the machine by a local user.
What does he mean exactly with his statement?
Nothing, AFAICT. That is, he promises that it will be explained later
on, but it isn't. There's just some (inaccurate and highly system-
dependent) platitudes about stacks.
Can anyone shed some light on that? I don't really understand this.

You needn't. Without a lot more context, his statement is meaningless.

Yes, it _is_ possible to write a program which, as a whole, is so broken
that it would allow "a local user" to "take over the machine", for some,
again highly system-dependent, meaning of those phrases. But if you do,
the error is not just in the lines as he quotes them. It is also quite
possible to write a correct program, with no security hole, in which
such lines occur.

(That said, it is a silly bit of code, since we have strcpy().)

Richard

Jan Richter wrote:

Hi there,

in the document available at http://cr.yp.to/2004-494/0825.pdf
DJB says that a construct like:

while (*tz != '\0')
*q++ = *tz++;

would make it possible to take over the machine by a local user.
What does he mean exactly with his statement? Can anyone shed
some light on that? I don't really understand this. Is there a resource
that explains a bit more the coding style DJB used? I have had a
look at his API and his internal helper functions used in his software,
and I'd like to understand them more than I do now.

The control statement above is semantically equivalent to

while (*tz != '\0') {
*q = *tz;
tz++;
q++;
}

which has the same effect as

i = 0;
while (tz[i] != '\0') {
q[i] = tz[i];
i++;
}

Note that the string copied to q is not terminated by '\0'.
August

Jan Richter wrote:

in the document available at http://cr.yp.to/2004-494/0825.pdf
DJB says that a construct like:

while (*tz != '\0')
*q++ = *tz++;

would make it possible to take over the machine by a local user.

Not exactly. He's saying that such code did make it possible in one
particular instance. He quoted the code exactly and paraphrased the
release note (which says that it's a local root vulnerability). You
can find the faulty code, the fixed code, and the release note in this
file:

http://www.sendmail.org/ftp/past-rel...il.8.7.6.patch