Bugtraq mailing list archives
Re: the purpose of dynamic memory allocation
From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Tue, 10 Mar 1998 09:11:24 -0500
At 03:10 AM 3/6/98 -0600, tqbf () secnet com wrote:
The "count" provided to the counted string functions is of type size_t, which is (on my machines) unsigned. This means that passing strncpy a negative number results in a "count" parameter that effectively means "infinity". I've seen at least one piece of code that had an exploitable overrun because of a coding mistake involving pointer arithmatic that resulted in strncpy() receiving a "count" of -1.
Along the same lines, I've seen the following occur: while(bytes = recv(sock, buf, bufsize, 0)) write(fd, buf, bytes); Normally, recv fails with a 0, but if things go wrong, it will fail with a -1. The third argument to write is UNSIGNED. If that occurs, we'll start at the addr of buf, and attempt to write 4GB to the fd. This is just one example of why I do not consider signed-unsigned mismatch warnings to be inconsequential. Let's face it - clean, solid code is normally more secure. David LeBlanc |Why would you want to have your desktop user, dleblanc () mindspring com |your mere mortals, messing around with a 32-bit |minicomputer-class computing environment? |Scott McNealy
Current thread:
- the purpose of dynamic memory allocation D. J. Bernstein (Mar 04)
- Re: the purpose of dynamic memory allocation sinster () DARKWATER COM (Mar 05)
- New OpenBSD security web page Theo de Raadt (Mar 06)
- <Possible follow-ups>
- Re: the purpose of dynamic memory allocation tqbf () secnet com (Mar 06)
- Possible Bug in CDE on HP-UX gareth greenaway (Mar 09)
- Re: Possible Bug in CDE on HP-UX Jeremy Brinkley (Mar 10)
- Re: the purpose of dynamic memory allocation David LeBlanc (Mar 10)
- Re: the purpose of dynamic memory allocation Jeffrey Hutzelman (Mar 10)
- Re: the purpose of dynamic memory allocation Alan Cox (Mar 11)
- DoS (and possibly more) on MDaemon for NT/95 Alvaro Martinez Echevarria (Mar 10)
- MDaemon SMTP Server Buffer Overflow's Aleph One (Mar 10)
- Security problem in Slackware. Suman_Saraf (Mar 11)
- Re: Security problem in Slackware. Peter van Dijk (Mar 13)
- /tmp event logger Michal Zalewski (Mar 14)
- Re: /tmp event logger Theo de Raadt (Mar 15)
- Possible Bug in CDE on HP-UX gareth greenaway (Mar 09)
- Vunerable shell scripts Michal Zalewski (Mar 14)
- More broadcast fun T. Freak (Mar 14)