RE: Administrivia: List Announcement
From: Oliver Lavery (oliver.lavery_at_sympatico.ca)
Date: 08/09/02
- Previous message: David R. Piegdon: "partial analysis of vulndev-1.c"
- Maybe in reply to: Dave McKinney: "Administrivia: List Announcement"
- Next in thread: Gustavo Scotti: "RE: Administrivia: List Announcement"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Shafik Yaghmour'" <subs@shafik.net> Date: Fri, 9 Aug 2002 04:17:26 -0400
True, and a very good point.
Need to manually add a NULL as the last character for both buffers.
In fact, will the for-loop copy ever NULL terminate the string? Glancing at
it again, it doesn't seem so.
~ol
> -----Original Message-----
> From: Shafik Yaghmour [mailto:subs@shafik.net]
> Sent: May 13, 2003 3:22 PM
> To: xenophi1e
> Cc: vuln-dev@securityfocus.com
> Subject: Re: Administrivia: List Announcement
>
>
> On 13 May 2003, xenophi1e wrote:
>
> > >We'll kick this off with the first challenge, which was devised by
> > >Aaron
> > >Adams:
> > >
> > > strncpy(buf2, p2, SIZE);
> >
> > Off-by-one. Third arg should be SIZE-1 to leave room for the
> > terminating
> > NULL. This error should lead to a heap based vulnerability when the
> > memory is free()d.
>
> You are assuming there is a terminating NULL, there may not be.
> Although in this example it does not make a difference, but in a real
> world program it would probably be bad.
>
> Take care
>
> --
> Those who dream by day are cognizant of many things which
> escape those who dream only by night. -Edgar Allan Poe
>
>
- Previous message: David R. Piegdon: "partial analysis of vulndev-1.c"
- Maybe in reply to: Dave McKinney: "Administrivia: List Announcement"
- Next in thread: Gustavo Scotti: "RE: Administrivia: List Announcement"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
