vulndev-1 and a suggestion about the ensuing discussion

From: Bernie Cosell (bernie_at_fantasyfarm.com)
Date: 05/15/03

Next message: Marco Ivaldi: "Re: vulndev1.c solution (warning SPOILER)"

Previous message: Cameron Brown: "RE: vulndev1.c solution (warning SPOILER)"
Next in thread: xenophi1e: "Re: vulndev-1 and a suggestion about the ensuing discussion"
Maybe reply: xenophi1e: "Re: vulndev-1 and a suggestion about the ensuing discussion"
Maybe reply: Michael Wojcik: "RE: vulndev-1 and a suggestion about the ensuing discussion"
Maybe reply: xenophi1e: "Re: vulndev-1 and a suggestion about the ensuing discussion"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: vuln-dev@securityfocus.com
Date: Wed, 14 May 2003 19:59:18 -0400

Let me comment that I see two directions of analysis on the buggy-code-
scraps we might be presented to look at:
  1) understanding _really_ what the problem is, and
  2) investigating how the problem manifests itself in different
      contexts and under different sorts of attacks.

And from our comments, I can also see that we have sort of informally
divided into those two camps: with some discussing the peculiarities of
particular library calls while others dove in right away and tried to
exploit it on various platforms.

I have to confess I'm of the former camp, and with that, I'd like to take
a step back and ask: To my view, the *ONLY* problem in that little scrap
of code is that the 'for' loop clobbered *at*most* one byte, the byte
following the malloc of buf1 -- because of the off-by-one in the for loop
end test. Were there other problems in the code besides that? [as I
mentioned, its been >20yrs since I did much/any C programming so I'm more
than a bit rusty].

The second aspect is also interesting, but to my view *separate*: if my
above analysis is correct, then the question is, "how much damage can you
cause in various operating systems and with particular C compilers if you
can clobber that one byte off the end of a malloc" [with the answer being
"a widely variable amount of damage, of course..:o)]. And I realize this
is a burden [and I'm *NOT* volunteering...:o)] but I think it'd be
helpful for us all to have a bit of a summary after the dust settles:
    Linux 8.0 w/gcc does THIS
    Windows with Microsoft Visual C++ does THAT
     ...etc...

/bernie\

-- 
Bernie Cosell                     Fantasy Farm Fibers
mailto:bernie@fantasyfarm.com     Pearisburg, VA
    -->  Too many people, too few sheep  <--

Next message: Marco Ivaldi: "Re: vulndev1.c solution (warning SPOILER)"

Previous message: Cameron Brown: "RE: vulndev1.c solution (warning SPOILER)"
Next in thread: xenophi1e: "Re: vulndev-1 and a suggestion about the ensuing discussion"
Maybe reply: xenophi1e: "Re: vulndev-1 and a suggestion about the ensuing discussion"
Maybe reply: Michael Wojcik: "RE: vulndev-1 and a suggestion about the ensuing discussion"
Maybe reply: xenophi1e: "Re: vulndev-1 and a suggestion about the ensuing discussion"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]