Re: Administrivia: List Announcement

From: Bernie Cosell (bernie_at_fantasyfarm.com)
Date: 05/13/03

  • Next message: David R. Piegdon: "partial analysis of vulndev-1.c" 
    To: vuln-dev@securityfocus.com
Date: Tue, 13 May 2003 15:11:05 -0400

    On 13 May 2003 at 10:25, Dave McKinney wrote:

    > ... The basic idea is that people are presented with a
    > fabricated program that may have an exploitable security issue and then as
    > a group, we can discuss where the problem exists and what the nature of
    > the problem is, possibly even developing a proof-of-concept to establish
    > whether or not the issue is exploitable.

    > We'll kick this off with the first challenge, which was devised by Aaron
    > Adams:

    I have to confess that I've not done hardly any C programming in a LOT of
    years, but there's at least one obvious problem in this little program:

    > char *buf1 = malloc(SIZE);
    >
    > for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
                          ^^^^^^^^^
    > buf1[i] = p1[i];

    that's clearly off by one and so the loop will run at least one char past
    the end of buf1, clobbering one byte beyond the end of the chunk of space
    that got malloc'ed for buf1.

    What harm that causes is hard to evaluate, though, isn't it? Doesn't it
    depend a lot on how a particular C compiler lays things out and how the
    libraries (in particular, malloc) work and what else the program has been
    doing?

      /Bernie\ 

    -- 
Bernie Cosell                     Fantasy Farm Fibers
mailto:bernie@fantasyfarm.com     Pearisburg, VA
    -->  Too many people, too few sheep  <--
  • Next message: David R. Piegdon: "partial analysis of vulndev-1.c"