Bugtraq mailing list archives
Re: ActiveX Buffer Overruns
From: aviram () JENIK COM (Aviram Jenik)
Date: Mon, 4 Oct 1999 07:52:53 +0200
Hi.
It appears that the ActiveX/OLE/COM technology in general does no buffer
checks
before passing parameters to controls, leaving the checking up to the control in question.
Huh?! Buffers passed to a COM object (or ActiveX control: it's the same thing) are marshaled by the COM subsystem, and their size *has* to be specified. The object gets a buffer of that specific size, and buffer checks are done all over the place. The most common way of passing parameters in ActiveX controls is through BSTRs, which include the size of the string in their first character. There's no way to overflow a BSTR. The buffer overflows you discovered arise from a situation where the programmer extracted the buffer from the BSTR, and put it into a simple character array of the form: char[256], without bothering to check if the fixed size of the character array is large enough to hold the string. The COM architecture has nothing to do with this buffer overflow (on the contrary: it makes it very difficult for programmers to create buffer overflows. But I guess some are talented enough to bypass this difficulty ;-) ) ------------------------- Aviram Jenik "Addicted to Chaos" ------------------------- Today's quote: - Real programmers think structured programming is a communist plot.
Current thread:
- Re: ActiveX Buffer Overruns Aviram Jenik (Oct 03)
- <Possible follow-ups>
- Re: ActiveX Buffer Overruns Chris (Oct 06)
- Re: ActiveX Buffer Overruns Michael Nelson (Oct 06)
- StackGuarded Red Hat 5.2 Released Crispin Cowan (Oct 07)
- Re: ActiveX Buffer Overruns Todd Sabin (Oct 06)