Re: Java and buffer overflows

From: KF (dotslash@snosoft.com)
Date: 06/25/02 

Date: Mon, 24 Jun 2002 23:40:07 -0400
From: KF <dotslash@snosoft.com>
To: felix@cannabis.net

Not sure if this helps .... I was trying to come up with a scenario that
passed user input to a buffer but the compiler kept barking at me so
this is the best I can do.

[root@qa5 root]# cat test.java
class test
{
        public static void main(String args[])
        {

                String[] test = new String[4];
                test[0] = "A";
                test[1] = "A";
                test[2] = "A";
                test[3] = "A";
                test[4] = "A";
                test[5] = "A";
                test[6] = "A";
        }
}

[root@rcmqa5 root]# javac test.java
[root@rcmqa5 root]# java test
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 4
        at test.main(test.java:11)

-KF

Felix Harris wrote:

>>I was wondering if code written in JAVA(or .NET) is vulnerable to buffer overflows.
>>If yes,what are the differences in the proccess of exploiting?
>>Any online source?
>>
>
>
>well afaik one of the main reasons for creating Java was to make it
>a safe language, as there is no complications between pointers
>and buffers. Buffers are also lengthchecked, and pointers dont
>really have the required scope to be exploited. If there was an
>exploit for a java program, it would probably exist as a bug in the
>virtual machine, or in a call to a c/c++ program/library. IIRC, there
>was something about zlib being exploitable?
>--
>Felix Harris
>felix@cannabis.net
>I say goodbye and raindrops taste like tears
>In the pouring rain I stand and die alone
>
>

Relevant Pages