Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Secure coding in C (was Re: Administrivia #4883)

From: spin () MASSIVE CH (spin0ff)
Date: Sun, 16 Jan 2000 14:27:42 +0100

On Sat, 15 Jan 2000, Liviu Daia wrote:


On 14 January 2000, Marco Walther <marcow () JENA ENG SUN COM> wrote:

"BT" == Bennett Todd <bet () RAHUL NET> writes:

BT> For a specific case, is there any security hole directly implied
BT> by this C fragment, assuming attackers could control the contents
BT> of a and b?

BT>         char *a = something();
BT>         char *b = something_else();
BT>         int len = strlen(a) + strlen(b);
BT>         char *c = malloc(len + 1) || die("malloc");
BT>         (void) strcat(strcpy(c, a), b);

I don't see any problems here;-)

[...]

    Oh, come on.  What if a and b are not null-terminated?


both strlen call will return when they encounter a \0, implying that after
the third line, len will be long enough to hold a, b and the garbage
following both a and b. c will be large enough to hold all of this.

c will probably not contain something useful if a and b weren't
null-terminated... but could someone point out a scenario where it could
be possible to exploit this ?

  spin
Previous By Date Next
Previous By Thread Next

Current thread: