[stunnel-users] safestring and safename insecure
Michal Trojnara
Michal.Trojnara at mobi-com.net
Thu Aug 24 15:59:10 CEST 2006
On 2006-08-24, at 10:11, Hans Werner Strube wrote:
> The macros safestring and safename in common.h are insecure if called
> for a character with high bit set, because (int)*p will sign-extend the
> byte on machines where char is signed. Possible patch (here for
> safestring;
> for safename correspondingly with isprint -> isalnum):
>
> do {char *p; for(p=(s); *p; p++) if(!isprint((int)*(unsigned char
> *)p)) *p='.';} while(0)
Assuming on some systems isprint(x) != isprint(x&0xff): any idea how to
exploit this "insecure" code?
BTW: At least on Linux and Mac OS X isprint() returns 0 in both cases.
#include <stdio.h>
#include <ctype.h>
int main() {
char x='a'|0x80;
int y=x;
int z=(unsigned char)x;
printf("%d %d %d %d\n", y, z, isprint(y), isprint(z));
return 0;
}
Best regards,
Mike
More information about the stunnel-users
mailing list