Vulnerability Development mailing list archives
Re: memcpy with negative length and destination on heap - exploitable?
From: "Pavel Kankovsky" <peak () argo troja mff cuni cz>
Date: Wed, 26 Dec 2001 21:28:30 +0100 (MET)
On Mon, 24 Dec 2001, 3APA3A wrote:
memcpy(dst, src + POSITION + 1, len); ... len is too long then converted to size_t and memcpy will crash... Is it possible to avoid it if destination buffer is on heap? Program is available on all possible platforms :)
It is possible to avoid a crash if... 1. memcpy() is implemented in a way that turns it into an empty operation when you call it with a (small) negative length Example: char *last = dst + len; while (dst < last) *dst++ = *src++; 2. all dst[i] and src[POSITION+1+i] for each i, 0 <= i < (size_t)len are confined to regions of memory that are fully mapped (i.e. writes or read will not cause faults) and the destination region does not intersect with any vital part of the process (code, stack) Example: 16-bit segmented memory model, e.g. the large mm of the old "good" 8086 (and 80286) --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- memcpy with negative length and destination on heap - exploitable? 3APA3A (Dec 24)
- Re: memcpy with negative length and destination on heap - exploitable? dullien (Dec 26)
- Re: memcpy with negative length and destination on heap - exploitable? Pavel Kankovsky (Dec 26)