Re: Administrivia: List Announcement

From: Wojciech Purczynski (cliph_at_isec.pl)
Date: 05/14/03

  • Next message: Joel Eriksson: "Re: vulndev-1 exploit."
    Date: Wed, 14 May 2003 14:12:54 +0200 (CEST)
    To: Brian Hatch <vuln-dev@ifokr.org>
    
    

    > > for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
    > > buf1[i] = p1[i];
    >
    > Why not NULL terminate buf1?
    > (Again, we're not using it here anyway, but it seems silly not to.)

    You missed an off-by-one bug.

    > > free(buf1);
    > > free(buf2);
    >
    > Assume the user makes the malloc fail by setting nasty process limits.
    > Thus buf1 and buf2 don't have SIZE bytes at all, yet we copy into
    > the locations they would be. Voila - overflow.
    >
    > Or, since we're free'ing a memory location that was never malloc'd,
    > it's kind of like a double free bug (though since it was never malloc'd
    > properly in the first place, perhaps it needs a better name.)

    In case of malloc failure you'll get NULL-pointer dereference at strncpy()
    or for-loop. No overflows, no double free bugs at all (assuming you have
    no memory pages mapped at 0x0 ;) )

    Cheers,
    wp

    -- 
    Wojciech Purczynski
    iSEC Security Research
    http://isec.pl/
    

  • Next message: Joel Eriksson: "Re: vulndev-1 exploit."

    Relevant Pages

    • Re: Is gcc thread-unsafe?
      ... free to load and store to any memory location, ... This case is clearly a bug, ... volatile or that particular compiler version be unsupported. ... Marking volatile I think is out of the question. ...
      (Linux-Kernel)
    • Gadu-Gadu several vulnerabilities
      ... Several vulnerabilities were discovered ranging from heap and stack ... of Gadu-Gadu application. ... There is a buffer overflow in the code portion handling sending of images. ... This bug works with the newest build of the ...
      (Bugtraq)
    • Gadu-Gadu several vulnerabilities
      ... Several vulnerabilities were discovered ranging from heap and stack ... of Gadu-Gadu application. ... There is a buffer overflow in the code portion handling sending of images. ... This bug works with the newest build of the ...
      (Full-Disclosure)
    • [Full-Disclosure] Gadu-Gadu several vulnerabilities
      ... Several vulnerabilities were discovered ranging from heap and stack ... of Gadu-Gadu application. ... There is a buffer overflow in the code portion handling sending of images. ... This bug works with the newest build of the ...
      (Full-Disclosure)
    • 0verkill - little simple vulnerability.
      ... There is simple buffer overflow bugs: ... void load_cfg ... GNU gdb 5.0 ... Now we look for second and third bug... ...
      (Bugtraq)