smtk2ssrf web service

Salvador Cuñat salvador.cunat at gmail.com
Sat Jun 10 00:08:24 PDT 2017


Good morning Robert

On Fri, Jun 09, 2017 at 09:43:11PM +0200, Robert Helling wrote:
>
> How confident are you that I cannot get in trouble by running this tool on (possibly evil) user supplied input? Does it fail gracefully? Do you have any intuition?
>
Yes, I saw your patch. My aproach to the gui issue was different, but
I think yours is much more elegant.

I'm pretty confident about it. I've run smtk2ssrf on files tweaked in
different ways to be wrong (ranging from binary files to text files
with weird character sequences, and genuine .slg files corrupted) and
it always fails well.

On the other side, there are some malloc/g_malloc calls which don't
check the result, these could be weak points if the server runs out of
memory. No problem on patching these.

Nevertheless will try to run some coverage tests on the importer to
try to find other weak points.

Thanks Robert.

Salva.


More information about the subsurface mailing list