memcpy with negative length and destination on heap - exploitable?
From: 3APA3A (3APA3A@SECURITY.NNOV.RU)Date: 12/24/01
- Previous message: KRFinisterre@checkfree.com: ""Universal Plug and Play technology exploit code""
- Next in thread: dullien@gmx.de: "Re: memcpy with negative length and destination on heap - exploitable?"
- Reply: dullien@gmx.de: "Re: memcpy with negative length and destination on heap - exploitable?"
- Reply: Pavel Kankovsky: "Re: memcpy with negative length and destination on heap - exploitable?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 24 Dec 2001 12:59:30 +0300 From: 3APA3A <3APA3A@SECURITY.NNOV.RU> To: vuln-dev@security-focus.com
Hello vuln-dev,
Theoretically, are there are any situations, then it's possible to
exploit this kind of bug:
...
char src[FEW * KB_OF_DATA], * dst;
int len;
...
get_user_input(src, sizeof(src));
len = src[POSITION]; /* char is signed and can be negative! */
dst = malloc(256);
memcpy(dst, src + POSITION + 1, len);
...
len is too long then converted to size_t and memcpy will crash... Is
it possible to avoid it if destination buffer is on heap? Program is
available on all possible platforms :)
-- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)
- Previous message: KRFinisterre@checkfree.com: ""Universal Plug and Play technology exploit code""
- Next in thread: dullien@gmx.de: "Re: memcpy with negative length and destination on heap - exploitable?"
- Reply: dullien@gmx.de: "Re: memcpy with negative length and destination on heap - exploitable?"
- Reply: Pavel Kankovsky: "Re: memcpy with negative length and destination on heap - exploitable?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
