My MUA insists that "Ronald L. Sharp" wrote:
> Some poorly written programs, and there are many, will
> use the wrong C commands and an overflow of the field's buffer can
> allow an attacker to place instructions on the execution stack. The
> result is obvious.
> A standard proxy application should be able to prevent this by its
> very nature. It will use the proper c commands with fixed buffer
> sizes and will truncate the data to the proper size before passing
> it on.
How does the proxy know the size of the buffer being used by the client or server at either end? That may vary from one implementation to another. The author of the proxy cannot know what buffer size will be correct for all situations.
Paul M. Cardon - System Officer
Capital Markets Systems - First Chicago NBD Corporation
com - (312) 732-7392
I never give them hell. I just tell the truth and they think it's hell. - H. Truman
MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e