RE: [Format String vulnerabilities]
From: Chris Eagle (cseagle_at_redshift.com)
Date: 05/29/04
- Previous message: Gerardo Richarte: "Re: [Format String vulnerabilities]"
- In reply to: Gerardo Richarte: "Re: [Format String vulnerabilities]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <vuln-dev@securityfocus.com> Date: Sat, 29 May 2004 04:00:21 -0700
Gerardo Richarte wrote:
> > Surely however the format string *itself* isn't passed on the stack
> > but a pointer to the format string. therefore the %x modifer would
> > return a hex representation of the address pointing to the string, *not*
> > a hex representation of the string contents?
>
> Everything you said is correct, except for 2 things:
>
> . the fact that the format string itself is not in the
> stack. This is actually why there is a buf[1024] and a
> strncpy(buf,argv[1],sizeof(buf)): to copy the format string to the stack.
>
...
> the code is:
>
> > fmt1.c ----------------------------------------------------
> >
> > int main(int argc, char *argv[]) {
> > char buf[1024];
> >
> > strncpy(buf, argv[1], sizeof(buf));
> > printf(argv[1]);
> > printf("\n");
> > }
> > ------------------------------------------------------------
argv[1] is already on the stack, there is no need for the strncpy call to
copy the format string to the stack. In fact, in this case, the call places
a second copy of argv[1] on the stack.
Chris
- Previous message: Gerardo Richarte: "Re: [Format String vulnerabilities]"
- In reply to: Gerardo Richarte: "Re: [Format String vulnerabilities]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
