Re: Administrivia: List Announcement

From: David Riley (oscar_at_the-rileys.net)
Date: 05/13/03

  • Next message: Brian Hatch: "Re: Administrivia: List Announcement" 
    Date: Tue, 13 May 2003 13:36:24 -0400

    On Tuesday, May 13, 2003, at 12:25 PM, Dave McKinney wrote:

    > We'll kick this off with the first challenge, which was devised by
    > Aaron
    > Adams:
    >
    >
    > // vulndev-1.c
    > // vuln-dev mailing list security challenge #1
    > // by Aaron Adams <aadams@securityfocus.com>
    > // Spot the error in this program.
    >
    > #include <stdio.h>
    > #include <stdlib.h>
    >
    > #define SIZE 252
    >
    > int
    > main(int argc, char *argv[])
    > {
    > int i;
    > char *p1, *p2;
    > char *buf1 = malloc(SIZE);
    > char *buf2 = malloc(SIZE);
    >
    > if (argc != 3)
    > exit(1);
    >
    > p1 = argv[1], p2 = argv[2];
    > strncpy(buf2, p2, SIZE);
    > for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
    > buf1[i] = p1[i];
    >
    > free(buf1);
    > free(buf2);
    >
    > return 0;
    > }

    I'll start by saying that I like this idea... it'll give me a chance to
    brush up on my skills in this area.

    Now, the only error I see in this program is that the for() loop checks
    for i <= SIZE rather than i < SIZE. However, this doesn't seem to
    affect much... when I run the compiled program on my OS X machine with
    these args:

    ./vuln `perl -e 'print "a" x 2000'` `perl -e 'print "b" x 2000'`

    It exits cleanly. I imagine that it might overwrite a byte somewhere,
    but it's not really doing much for me.

    Thanks, and great idea,
            David

  • Next message: Brian Hatch: "Re: Administrivia: List Announcement"