ODMA Incident Report

X000807: Minimal Validation of handle Parameters

Last updated 2000-08-08-13:56 -0700 (pdt)
Category: Vulnerability - Warning Incident ID: X000807
Priority: 2 - Non-Critical Status: Confirmed 2000-08-08.
Determination of effective repair to be scheduled.
Component: all distributed versions of ODMA32.dll and Odma.dll up to 2.0.0
Repaired in: none
Assigned To: Dennis E. Hamilton Reported By: 
Dennis E. Hamilton 2000-08-05
Date Opened: 2000-08-05 Date Closed: none

Summary:

For all ODMA API functions that provide a handle as the first parameter, the ODMA Connection Managers defend against the handle being NULL.  This is the only handle validationODMSTATUS value ODM_E_HANDLE is produced.  (API function ODMQueryInterface will produce the HRESULT E_INVALIDARG.)  If an application provides a non-NULL handle parameter that is not a currently-valid handle, the ODMA Connection Manager will fail, generally leading to an application termination under possibly-mysterious circumstances.

There are no reported production incidents attributable to this particular defect.  It is documented as a warning for future trouble-shooting and for maintenance of Connection Manager implementations.

This condition is most likely to occur in development or maintenance of an ODMA-aware application.  The conditions necessary to provoke failure are unlikely in well-behaved applications in production usage.

Analysis:

  1. The limitation of validation to detection of NULL-valued handle parameters is confirmed by inspection of all ODMA Functions in Connection Manager module odmaent.cpp, the set of C Language API entries.
  2. Vulnerability to mysterious behavior stems from the Connection Manager trusting non-NULL handle values to be valid pointers to a known C++ class implementation.  The Connection Manager makes direct use of the handle to make non-validated access to data of that class, including access to internal objects of that class.
  3. This may be one of those vulnerabilities for which there is little prospect for improvement.  It must also be considered that release of a less-vulnerable Connection Manager implementation may have little impact on the use of widely-distributed legacy implementations.

Actions:

  1. Identify all cases of use of minimally-screened handle parameters and analyze the potential consequences.  Completed: 2000-08-07.  
  2. Review for possibility of any effective remedy.  Weigh against the difficulty of increased validation and the limited impact it makes on existing implementations still in use.
  3. Propose staging for introduction of improved handle validation, if any.

Please provide any relevant information and feedback to the ODMA Tech List or directly to the AIIM DMware Technical Coordinator.

created 2000-08-08-09:21 -0700 (pdt) by orcmid
$$Author: Orcmid $
$$Date: 00-08-08 13:55 $
$$Revision: 4 $