Re: Administrivia: List Announcement
From: Brian Hatch (vuln-dev_at_ifokr.org)
Date: 05/13/03
- Previous message: David Riley: "Re: Administrivia: List Announcement"
- In reply to: Dave McKinney: "Administrivia: List Announcement"
- Next in thread: Wojciech Purczynski: "Re: Administrivia: List Announcement"
- Reply: Wojciech Purczynski: "Re: Administrivia: List Announcement"
- Reply: Luciano Miguel Ferreira Rocha: "Re: Administrivia: List Announcement"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 13 May 2003 10:45:21 -0700 To: vuln-dev@securityfocus.com
> #include <stdio.h>
> #include <stdlib.h>
>
> #define SIZE 252
>
> int
> main(int argc, char *argv[])
> {
> int i;
> char *p1, *p2;
> char *buf1 = malloc(SIZE);
> char *buf2 = malloc(SIZE);
Fail to verify buf1 and buf2 != NULL after malloc.
(and why not just use 'char buf1[SIZE]; and char buf2[SIZE];' ??
And for goodness sake, let's cast things properly if you're going
to malloc, and for good form include the size of the element, even
when it's a char:
char *buf1 = (char*)malloc( SIZE * sizeof(char) );
> p1 = argv[1], p2 = argv[2];
> strncpy(buf2, p2, SIZE);
strncpy doesn't null terminate if strlen(p2) > SIZE.
(Not necessarily an issue for this dinky program.)
> for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
> buf1[i] = p1[i];
Why not NULL terminate buf1?
(Again, we're not using it here anyway, but it seems silly not to.)
> free(buf1);
> free(buf2);
Assume the user makes the malloc fail by setting nasty process limits.
Thus buf1 and buf2 don't have SIZE bytes at all, yet we copy into
the locations they would be. Voila - overflow.
Or, since we're free'ing a memory location that was never malloc'd,
it's kind of like a double free bug (though since it was never malloc'd
properly in the first place, perhaps it needs a better name.)
-- Brian Hatch Time exists solely Systems and for the purpose of Security Engineer preventing everything www.hackinglinuxexposed.com from happening at once. Every message PGP signed
- application/pgp-signature attachment: stored
- Previous message: David Riley: "Re: Administrivia: List Announcement"
- In reply to: Dave McKinney: "Administrivia: List Announcement"
- Next in thread: Wojciech Purczynski: "Re: Administrivia: List Announcement"
- Reply: Wojciech Purczynski: "Re: Administrivia: List Announcement"
- Reply: Luciano Miguel Ferreira Rocha: "Re: Administrivia: List Announcement"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
