Re: SV: Avoiding Buffer Overflows

From: lists@notatla.demon.co.uk
Date: 01/10/02

• Previous message: David Correa: "Re: Avoiding Buffer Overflows"
• Maybe in reply to: Kenny Colliander: "SV: Avoiding Buffer Overflows"
• Next in thread: Trano: "Re: SV: Avoiding Buffer Overflows"
• Reply: Trano: "Re: SV: Avoiding Buffer Overflows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

To: security-discuss@linuxsecurity.com
Date: Wed,  9 Jan 2002 23:22:39 +0000 (GMT)
From: lists@notatla.demon.co.uk

From: Trano <Trano@gmx.net>

> Does this "exit(1)" really prevents the program from being exploited?

Yes. You need to return from the current function for the return address
to be used.

#include <string.h>

int main(int argc, char **argv)
{
         char buf[100+1]; // + NULL

         if (argc>1) strcpy(buf, argv[1]);
         /* strncpy(argv[1], buf, 100); */
/* return from function is implied */
}

./a.out `perl -e 'print "a"x200'`
a.out[31618]: Immunix SG 2.0 canary = aff0d died with cadaver 61616161
    in procedure main.

------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.

---

• Previous message: David Correa: "Re: Avoiding Buffer Overflows"
• Maybe in reply to: Kenny Colliander: "SV: Avoiding Buffer Overflows"
• Next in thread: Trano: "Re: SV: Avoiding Buffer Overflows"
• Reply: Trano: "Re: SV: Avoiding Buffer Overflows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > linuxsecurity  > 2002-01