[Python-Dev] RE: buffer overlow in PC/getpathp.c
Wed, 27 Sep 2000 22:55:57 -0400
>I would be happy to! Although I am happy to report that I believe it
>safe - I have been very careful of this from the time I wrote it.
>What is the process? How formal should it be?
Not sure how formal it should be, but I would recommend you review uses of
strcpy and convince yourself that the source string is never longer than the
target buffer. I am not convinced. For example, in calculate_path(), char
*pythonhome is initialized from an environment variable and thus has unknown
length. Later it used in a strcpy(prefix, pythonhome), where prefix has a
fixed length. This looks like a vulnerability than could be closed by using
strncpy(prefix, pythonhome, MAXPATHLEN).
The Unix version of this code had three or four vulnerabilities of this
sort. So I imagine the Windows version has those too. I was imagining that
the registry offered a whole new opportunity to provide unexpectedly long
strings that could overflow buffers.