Slashdot Mirror
String Cleanup Results On OpenBSD
Dan writes "OpenBSD's Theo De Raadt provides an update on his team's efforts to remove potential buffer overflows within OpenBSD code by always calculating what the bounds of an operation are. They have been going through the source tree cleaning out all calls to sprintf(), strcpy(), and strcat(). Theo says that they have removed (replaced) approximately 2000 occurences of these functions." (The same buffer overrun-squashing effort was mentioned earlier this month.)
Does the BSD team have a list (or rules of thumb?) that mentions other safe coding practises? There has to be book on this, right? (I've always been impressed by the pro-active stance BSD takes towards security -- I just wish the rest of the commercial world could afford the time to do things right, instead of the cheesy no liability out-clause in the EULA.)
:)
If most developers are still using these "trivial" funcs, I'm scared what other funcs are just as buggy!
Funny how one can forget all about these "harmless" bad practises. Time to add it to the internal coding standard.
I wonder when Theo can say they have removed ALL occurrences of these functions??
But more importantly, why wasnt it possible to replace the functions in the library with something (if a bit slower) robust?
Are we witnessing the evolution of the New Libc(tm) ?? Can I patent it?
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
To answer your question, it's not possible to replace the original functions in libc because there's no maximum length param in those functions (unlike the safer "n" equivalents like snprintf()).
...when his mother/SO said, "I think you should do some spring cleaning."
A valid question if you don't know the answer, you shouldn't have been moderated as a troll I think. These "unsafe string funtions" sprintf(), strcpy(), and strcat(), are only unsafe if they are used incorrectly, which is easy to do. OpenBSD's source has been audited in the past to make sure they are used correctly. Now instead of making sure these calls are used correctly they are ripping them out and replacing them with calls to safer string functions. Interestingly it appears Theo is being successful in getting these changes made upstream in openssl, sendmail, and bind. I believe in the past there were some bind security flaws that didn't affect OpenBSD because they had altered their version of bind. The functions they are using to replace the "unsafe" ones are: snprintf() which first appeared in 4.4BSD (as in the original Berkley bsd), asprintf() which came from the GNU C library and first appeared in OpenBSD in 2.3, strlcpy() and strlcat() which were created by OpenBSD in 2.4. The man page for strlcpy() and strlcat() is one of my favorites for the blurb at the end under EXAMPLES:
However, one may question the validity of such optimizations, as they defeat the whole purpose of strlcpy() and strlcat(). As a matter of fact, the first version of this manual page got it wrong.
Also the packet filter thing wasn't a minor squable. It had a licence which sounded like a bsd licence but did not expressly permit distribution of modified source, thus making distribution of modified source illegal. It also was suppose to be installed into / by default, default being the only way you could legally distribute it. The author thought he was gonna go ahead and point that out and be an ass about it. Pretty strange for a licence which said I hate legalese don't you in it.