[Python-Dev] PyErr_Format security note
M.-A. Lemburg
mal@lemburg.com
Mon, 15 Nov 1999 09:09:07 +0100
"A.M. Kuchling" wrote:
>
> I noticed this in PyErr_Format(exception, format, va_alist):
>
> char buffer[500]; /* Caller is responsible for limiting the format */
> ...
> vsprintf(buffer, format, vargs);
>
> Making the caller responsible for this is error-prone. The danger, of
> course, is a buffer overflow caused by generating an error string
> that's larger than the buffer, possibly letting people execute
> arbitrary code. We could add a test to the configure script for
> vsnprintf() and use it when possible, but that only fixes the problem
> on platforms which have it. Can we find an implementation of
> vsnprintf() someplace?
In sysmodule.c, this check is done which should be safe enough
since no "return" is issued (Py_FatalError() does an abort()):
if (vsprintf(buffer, format, va) >= sizeof(buffer))
Py_FatalError("PySys_WriteStdout/err: buffer overrun");
--
Marc-Andre Lemburg
______________________________________________________________________
Y2000: 46 days left
Business: http://www.lemburg.com/
Python Pages: http://www.lemburg.com/python/