Category: Vulnerability - Warning Incident ID: X000807 Priority: 2 - Non-Critical Status: Confirmed 2000-08-08.
Determination of effective repair to be scheduled.
Component: all distributed versions of
Odma.dllup to 2.0.0
- Repaired in: none
Assigned To: Dennis E. Hamilton Reported By:
Dennis E. Hamilton 2000-08-05
Date Opened: 2000-08-05 Date Closed: none
For all ODMA API functions that provide a
handleas the first parameter, the ODMA Connection Managers defend against the
NULL. This is the only
ODM_E_HANDLEis produced. (API function
ODMQueryInterfacewill produce the
E_INVALIDARG.) If an application provides a non-
handleparameter that is not a currently-valid handle, the ODMA Connection Manager will fail, generally leading to an application termination under possibly-mysterious circumstances.
There are no reported production incidents attributable to this particular defect. It is documented as a warning for future trouble-shooting and for maintenance of Connection Manager implementations.
This condition is most likely to occur in development or maintenance of an ODMA-aware application. The conditions necessary to provoke failure are unlikely in well-behaved applications in production usage.
- The limitation of validation to detection of
handleparameters is confirmed by inspection of all ODMA Functions in Connection Manager module
odmaent.cpp, the set of C Language API entries.
- Vulnerability to mysterious behavior stems from the Connection Manager trusting non-
handlevalues to be valid pointers to a known C++ class implementation. The Connection Manager makes direct use of the
handleto make non-validated access to data of that class, including access to internal objects of that class.
- This may be one of those vulnerabilities for which there is little prospect for improvement. It must also be considered that release of a less-vulnerable Connection Manager implementation may have little impact on the use of widely-distributed legacy implementations.
- Identify all cases of use of minimally-screened
handleparameters and analyze the potential consequences. Completed: 2000-08-07.
- Review for possibility of any effective remedy. Weigh against the difficulty of increased validation and the limited impact it makes on existing implementations still in use.
- Propose staging for introduction of improved
handlevalidation, if any.
Please provide any relevant information and feedback to the ODMA Tech List or directly to the AIIM DMware Technical Coordinator.
created 2000-08-08-09:21 -0700 (pdt) by orcmid
$$Author: Orcmid $
$$Date: 00-08-08 13:55 $
$$Revision: 4 $