[Asterisk-Dev] Re: Is anyone thinking anymore?

Dr. Rich Murphey rich at WhiteOakLabs.com
Sun Jul 25 15:16:39 MST 2004 

Plus, when an attacker smashes the stack or heap, overwriting that constant,
strncpy() blocks a potential route of further attack.

This may seem to be a petty contribution to security, but every layer of
prevention helps reinforce surrounding layers.

Asterisk is already a popular target, so it's not unreasonable to expect
hackers to help us identify all the low hanging fruit (vulnerabilities).  By
closing these potential paths for vulnerabilities, we further focus their
efforts on identifying less trivial vulnerabilities.

Rich

> -----Original Message-----
> From: asterisk-dev-admin at lists.digium.com 
> [mailto:asterisk-dev-admin at lists.digium.com] On Behalf Of Sam Bingner
> Sent: Sunday, July 25, 2004 4:24 PM
> To: asterisk-dev at lists.digium.com
> Subject: RE: [Asterisk-Dev] Re: Is anyone thinking anymore?
> 
> Because when some strange person changes the size to 2 bytes 
> in the future to make it a 16-bit bitmap, it won't segfault...
> 
> Sam
> 
> -----Original Message-----
> From: asterisk-dev-admin at lists.digium.com
> [mailto:asterisk-dev-admin at lists.digium.com] On Behalf Of 
> Tony Mountifield
> Sent: Sunday, July 25, 2004 11:02 AM
> To: asterisk-dev at lists.digium.com
> Subject: [Asterisk-Dev] Re: Is anyone thinking anymore?
> 
> 
> In article <200407251656.i6PGuCaa028305 at xa.houston.rr.com>,
> Dr. Rich Murphey <rich at WhiteOakLabs.com> wrote:
> > >From a practical standpoint, this also reduces the cost (effort, 
> > >time, etc.)
> > for maintaining security audits.
> >
> > August is a popular month for exploits to be released.  I'm 
> glad were 
> > better prepared.
> 
> How does using strncpy() to copy a constant 3-char+terminator 
> string into a 40-byte array make us better prepared?
> 
> Cheers
> Tony
> --
> Tony Mountifield
> Work: tony at softins.co.uk - http://www.softins.co.uk
> Play: tony at mountifield.org - http://tony.mountifield.org 
> _______________________________________________
> Asterisk-Dev mailing list
> Asterisk-Dev at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-dev
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev
>

More information about the asterisk-dev mailing list