Re: Administrivia: List Announcement
From: Wojciech Purczynski (cliph_at_isec.pl)
Date: Wed, 14 May 2003 14:12:54 +0200 (CEST) To: Brian Hatch <email@example.com>
> > for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
> > buf1[i] = p1[i];
> Why not NULL terminate buf1?
> (Again, we're not using it here anyway, but it seems silly not to.)
You missed an off-by-one bug.
> > free(buf1);
> > free(buf2);
> Assume the user makes the malloc fail by setting nasty process limits.
> Thus buf1 and buf2 don't have SIZE bytes at all, yet we copy into
> the locations they would be. Voila - overflow.
> Or, since we're free'ing a memory location that was never malloc'd,
> it's kind of like a double free bug (though since it was never malloc'd
> properly in the first place, perhaps it needs a better name.)
In case of malloc failure you'll get NULL-pointer dereference at strncpy()
or for-loop. No overflows, no double free bugs at all (assuming you have
no memory pages mapped at 0x0 ;) )
-- Wojciech Purczynski iSEC Security Research http://isec.pl/