Skip to main content.
home | support | download

Back to List Archive

Re: Vulnerabilities with Swish

From: Ron Klatchko <ron(at)not-real.ckm.ucsf.edu>
Date: Tue Nov 17 1998 - 01:02:25 GMT
Job de Haas wrote:
> 2) Buffer overflows
> 
> The code of the actual index and search program contains numerous buffer
> overflows. These are too superfluous to mention. For the arguments these can
> be circumvented by doing some preliminary limitation on the size of these
> user supplied arguments. The following will allow you to keep using the
> binaries you have:
> 
>         $query =~ s/(.{256}).*/$1/;
>         $results =~ s/(.{256}).*/$1/;

I would argue that this is the wrong place to put this code.  Buffer
overflow errors should be fixed in the primary C code so that no matter
how the program is called, you can't cause problems.  This only solves
it for AutoSwish (here at UCSF, we use a custom front end built prior to
the existence of AutoSwish).

moo
----------------------------------------------------------------------
          Ron Klatchko - Manager, Advanced Technology Group           
           UCSF Library and Center for Knowledge Management           
                           ron@ckm.ucsf.edu
Received on Mon Nov 16 17:03:52 1998