Re: Administrivia: List Announcement
From: Wojciech Purczynski (cliph_at_isec.pl)
Date: 05/14/03
- Previous message: Cameron Brown: "RE: vulndev1.c solution (warning SPOILER)"
- In reply to: Brian Hatch: "Re: Administrivia: List Announcement"
- Next in thread: Luciano Miguel Ferreira Rocha: "Re: Administrivia: List Announcement"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 14 May 2003 14:12:54 +0200 (CEST) To: Brian Hatch <vuln-dev@ifokr.org>
> > for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
> > buf1[i] = p1[i];
>
> Why not NULL terminate buf1?
> (Again, we're not using it here anyway, but it seems silly not to.)
You missed an off-by-one bug.
> > free(buf1);
> > free(buf2);
>
> Assume the user makes the malloc fail by setting nasty process limits.
> Thus buf1 and buf2 don't have SIZE bytes at all, yet we copy into
> the locations they would be. Voila - overflow.
>
> Or, since we're free'ing a memory location that was never malloc'd,
> it's kind of like a double free bug (though since it was never malloc'd
> properly in the first place, perhaps it needs a better name.)
In case of malloc failure you'll get NULL-pointer dereference at strncpy()
or for-loop. No overflows, no double free bugs at all (assuming you have
no memory pages mapped at 0x0 ;) )
Cheers,
wp
-- Wojciech Purczynski iSEC Security Research http://isec.pl/
- Previous message: Cameron Brown: "RE: vulndev1.c solution (warning SPOILER)"
- In reply to: Brian Hatch: "Re: Administrivia: List Announcement"
- Next in thread: Luciano Miguel Ferreira Rocha: "Re: Administrivia: List Announcement"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
