[ossec-dev] Re: [Bug 87] New: os_regex_maps hostname_map errors

[Trey Valenta <t@xxxxxxxx>]

On Wed, Oct 10, 2007 at 05:11:20PM -0300, Daniel Cid wrote:
> Hi,
> 
> Regarding the hostname map, your assessment is not correct.
> 
> In the map, the characters that we want to use (a-z, A-Z, 0-9, etc) are set
> to "\001" and all the others are kept in any other way (generally their default
> value). When we use isValidChar, we check if the return code is 1, not the
> value of the character.
> 
> So, we allow the desired and deny everything else, like the good security
> practices tell us :)

Hey Daniel,

Thanks for the reply -- I see my error now. So it looks like only (, ),
and / are erroneously matched. (I count 69 valid entries (\001) but
I think there should only be 26*2 + 10 +4 == 66. Or 65, since the
underscore isn't a valid hostname character).

> As for the sun compiler, I never used that, but the mapping is set to
> unsigned char, so it shouldn't be a problem.... However, without access to
> the compiler, it is very hard for me to fix it (patches welcome).

I'll try a few tests on this. Yes, the mapping is an unsigned char, but
I think Sun's compiler evaluates \300 as a signed value, before
assigning it to the array. So the element '\300' is evaluated as -64,
whereas 0300 is treated correctly.

/trey

-- 
<t(Trey)@(Valenta)trey.net> Seattle, Wash.