Re: SV: Avoiding Buffer Overflows

From: lists@notatla.demon.co.uk
Date: 01/10/02


To: security-discuss@linuxsecurity.com
Date: Wed,  9 Jan 2002 23:22:39 +0000 (GMT)
From: lists@notatla.demon.co.uk

From: Trano <Trano@gmx.net>

> Does this "exit(1)" really prevents the program from being exploited?

Yes. You need to return from the current function for the return address
to be used.

#include <string.h>

int main(int argc, char **argv)
{
         char buf[100+1]; // + NULL

         if (argc>1) strcpy(buf, argv[1]);
         /* strncpy(argv[1], buf, 100); */
/* return from function is implied */
}

./a.out `perl -e 'print "a"x200'`
a.out[31618]: Immunix SG 2.0 canary = aff0d died with cadaver 61616161
    in procedure main.

------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.