[Python-Dev] PyErr_Format security note
M.-A. Lemburg
mal@lemburg.com
Mon, 15 Nov 1999 10:49:26 +0100
Greg Stein wrote:
>
> On Mon, 15 Nov 1999, M.-A. Lemburg wrote:
> >...
> > In sysmodule.c, this check is done which should be safe enough
> > since no "return" is issued (Py_FatalError() does an abort()):
> >
> > if (vsprintf(buffer, format, va) >= sizeof(buffer))
> > Py_FatalError("PySys_WriteStdout/err: buffer overrun");
>
> I believe the return from vsprintf() itself would be the problem.
Ouch, yes, you are right... but who could exploit this security
hole ? Since PyErr_Format() is only reachable for C code, only
bad programming style in extensions could make it exploitable
via user input.
Wouldn't it be possible to assign thread globals for these
functions to use ? These would live on the heap instead of
on the stack and eliminate the buffer overrun possibilities
(I guess -- I don't have any experience with these...).
--
Marc-Andre Lemburg
______________________________________________________________________
Y2000: 46 days left
Business: http://www.lemburg.com/
Python Pages: http://www.lemburg.com/python/