vulnerabilities in this code chunk

From: erk_3@xxxxxxxxxxx
Date: 21 Jun 2007 22:41:04 -0000

Heylo,
I am trying to find all the vuln's in this code chunk, and the only thing I can come up with is a null pointer dereference. Assume data and data_len are user controlled.
Null pointer happens when passing in a negative number. I was looking hard at the memset functions but I couldn't come up with anything.
Anyone else see anything here?
Thanks!

char *copy_data(char *data, unsigned int data_len)

{
unsigned int header_size = 8;
char *buf;
if (!(buf = malloc(data_len + header_size)))
{
return NULL;
}
memcpy(buf, "HEADER: ", 8);
memcpy(buf + 8, data, data_len);
return buf;
}

Prev by Date: CFP: 3rd European Conference on Computer Network Defense (EC2ND) in Crete, Greece
Next by Date: creating a "cc" opcode from ASCII shell code
Previous by thread: CFP: 3rd European Conference on Computer Network Defense (EC2ND) in Crete, Greece
Next by thread: Re: vulnerabilities in this code chunk
Index(es):
- Date
- Thread

Relevant Pages

Re: pointer and array help
... a simple pointer dereference would suffice. ... If you dereference a pointer to char you obtain a char, not a string. ... And yes, can be confusing, many things in C++ can be. ...
(comp.lang.cpp)
[PATCH] hugetlbfs: add NULL check in hugetlb_zero_setup()
... is not initialized and shmget() with SHM_HUGETLB flag will ... cause NULL pointer dereference. ... char buf; ...
(Linux-Kernel)
Re: Alignment on stack arrays
... Maybe it could even be done in the char *a=a0 line. ... but doesn't the union get in the way? ... although the global nature of macros might be a problem. ... cost of a pointer dereference. ...
(comp.lang.c)