Re: Administrivia: List Announcement

From: Wojciech Purczynski (cliph_at_isec.pl)
Date: 05/14/03

  • Next message: Joel Eriksson: "Re: vulndev-1 exploit."
    Date: Wed, 14 May 2003 14:12:54 +0200 (CEST)
    To: Brian Hatch <vuln-dev@ifokr.org>
    
    

    > > for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
    > > buf1[i] = p1[i];
    >
    > Why not NULL terminate buf1?
    > (Again, we're not using it here anyway, but it seems silly not to.)

    You missed an off-by-one bug.

    > > free(buf1);
    > > free(buf2);
    >
    > Assume the user makes the malloc fail by setting nasty process limits.
    > Thus buf1 and buf2 don't have SIZE bytes at all, yet we copy into
    > the locations they would be. Voila - overflow.
    >
    > Or, since we're free'ing a memory location that was never malloc'd,
    > it's kind of like a double free bug (though since it was never malloc'd
    > properly in the first place, perhaps it needs a better name.)

    In case of malloc failure you'll get NULL-pointer dereference at strncpy()
    or for-loop. No overflows, no double free bugs at all (assuming you have
    no memory pages mapped at 0x0 ;) )

    Cheers,
    wp

    -- 
    Wojciech Purczynski
    iSEC Security Research
    http://isec.pl/
    

  • Next message: Joel Eriksson: "Re: vulndev-1 exploit."