Vulnerability Development mailing list archives
Re: Administrivia: List Announcement
From: Brian Hatch <vuln-dev () ifokr org>
Date: Tue, 13 May 2003 10:45:21 -0700
#include <stdio.h> #include <stdlib.h> #define SIZE 252 int main(int argc, char *argv[]) { int i; char *p1, *p2; char *buf1 = malloc(SIZE); char *buf2 = malloc(SIZE);
Fail to verify buf1 and buf2 != NULL after malloc. (and why not just use 'char buf1[SIZE]; and char buf2[SIZE];' ?? And for goodness sake, let's cast things properly if you're going to malloc, and for good form include the size of the element, even when it's a char: char *buf1 = (char*)malloc( SIZE * sizeof(char) );
p1 = argv[1], p2 = argv[2]; strncpy(buf2, p2, SIZE);
strncpy doesn't null terminate if strlen(p2) > SIZE. (Not necessarily an issue for this dinky program.)
for (i = 0; i <= SIZE && p1[i] != '\0'; i++) buf1[i] = p1[i];
Why not NULL terminate buf1? (Again, we're not using it here anyway, but it seems silly not to.)
free(buf1); free(buf2);
Assume the user makes the malloc fail by setting nasty process limits. Thus buf1 and buf2 don't have SIZE bytes at all, yet we copy into the locations they would be. Voila - overflow. Or, since we're free'ing a memory location that was never malloc'd, it's kind of like a double free bug (though since it was never malloc'd properly in the first place, perhaps it needs a better name.) -- Brian Hatch Time exists solely Systems and for the purpose of Security Engineer preventing everything www.hackinglinuxexposed.com from happening at once. Every message PGP signed
Attachment:
_bin
Description:
Current thread:
- Administrivia: List Announcement Dave McKinney (May 13)
- Re: Administrivia: List Announcement David Riley (May 13)
- Re: Administrivia: List Announcement Benjamin A. Okopnik (May 13)
- Re: Administrivia: List Announcement Edinelson Keiji Shimokawa (May 14)
- Re: Administrivia: List Announcement Benjamin A. Okopnik (May 13)
- Re: Administrivia: List Announcement Brian Hatch (May 13)
- Re: Administrivia: List Announcement Wojciech Purczynski (May 14)
- Re: Administrivia: List Announcement Luciano Miguel Ferreira Rocha (May 14)
- vulndev-1.c challenge (was Re: Administrivia: List Announcement) Bennett Todd (May 13)
- Re: Administrivia: List Announcement Bernie Cosell (May 13)
- Re: Administrivia: List Announcement Valdis . Kletnieks (May 15)
- partial analysis of vulndev-1.c David R. Piegdon (May 13)
- Re: partial analysis of vulndev-1.c Dana Epp (May 13)
- Re: partial analysis of vulndev-1.c master of chaos - lord of mean (May 13)
- RE: partial analysis of vulndev-1.c David Schwartz (May 13)
- Re: partial analysis of vulndev-1.c Nexus (May 14)
- Re: Administrivia: List Announcement David Riley (May 13)